github.com/1aal/kubeblocks@v0.0.0-20231107070852-e1c03e598921/deploy/cert-manager/templates/cert-manager.yaml (about) 1 # Copyright 2022 The cert-manager Authors. 2 # 3 # Licensed under the Apache License, Version 2.0 (the "License"); 4 # you may not use this file except in compliance with the License. 5 # You may obtain a copy of the License at 6 # 7 # http://www.apache.org/licenses/LICENSE-2.0 8 # 9 # Unless required by applicable law or agreed to in writing, software 10 # distributed under the License is distributed on an "AS IS" BASIS, 11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 # See the License for the specific language governing permissions and 13 # limitations under the License. 14 15 apiVersion: v1 16 kind: Namespace 17 metadata: 18 name: cert-manager 19 --- 20 # Source: cert-manager/templates/crds.yaml 21 apiVersion: apiextensions.k8s.io/v1 22 kind: CustomResourceDefinition 23 metadata: 24 name: certificaterequests.cert-manager.io 25 labels: 26 app: 'cert-manager' 27 app.kubernetes.io/name: 'cert-manager' 28 app.kubernetes.io/instance: 'cert-manager' 29 # Generated labels 30 app.kubernetes.io/version: "v1.12.3" 31 spec: 32 group: cert-manager.io 33 names: 34 kind: CertificateRequest 35 listKind: CertificateRequestList 36 plural: certificaterequests 37 shortNames: 38 - cr 39 - crs 40 singular: certificaterequest 41 categories: 42 - cert-manager 43 scope: Namespaced 44 versions: 45 - name: v1 46 subresources: 47 status: {} 48 additionalPrinterColumns: 49 - jsonPath: .status.conditions[?(@.type=="Approved")].status 50 name: Approved 51 type: string 52 - jsonPath: .status.conditions[?(@.type=="Denied")].status 53 name: Denied 54 type: string 55 - jsonPath: .status.conditions[?(@.type=="Ready")].status 56 name: Ready 57 type: string 58 - jsonPath: .spec.issuerRef.name 59 name: Issuer 60 type: string 61 - jsonPath: .spec.username 62 name: Requestor 63 type: string 64 - jsonPath: .status.conditions[?(@.type=="Ready")].message 65 name: Status 66 priority: 1 67 type: string 68 - jsonPath: .metadata.creationTimestamp 69 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 70 name: Age 71 type: date 72 schema: 73 openAPIV3Schema: 74 description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used." 75 type: object 76 required: 77 - spec 78 properties: 79 apiVersion: 80 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 81 type: string 82 kind: 83 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 84 type: string 85 metadata: 86 type: object 87 spec: 88 description: Desired state of the CertificateRequest resource. 89 type: object 90 required: 91 - issuerRef 92 - request 93 properties: 94 duration: 95 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. 96 type: string 97 extra: 98 description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. 99 type: object 100 additionalProperties: 101 type: array 102 items: 103 type: string 104 groups: 105 description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. 106 type: array 107 items: 108 type: string 109 x-kubernetes-list-type: atomic 110 isCA: 111 description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`. 112 type: boolean 113 issuerRef: 114 description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty. 115 type: object 116 required: 117 - name 118 properties: 119 group: 120 description: Group of the resource being referred to. 121 type: string 122 kind: 123 description: Kind of the resource being referred to. 124 type: string 125 name: 126 description: Name of the resource being referred to. 127 type: string 128 request: 129 description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing. 130 type: string 131 format: byte 132 uid: 133 description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. 134 type: string 135 usages: 136 description: Usages is the set of x509 usages that are requested for the certificate. If usages are set they SHOULD be encoded inside the CSR spec Defaults to `digital signature` and `key encipherment` if not specified. 137 type: array 138 items: 139 description: "KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 \n Valid KeyUsage values are as follows: \"signing\", \"digital signature\", \"content commitment\", \"key encipherment\", \"key agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", \"encipher only\", \"decipher only\", \"any\", \"server auth\", \"client auth\", \"code signing\", \"email protection\", \"s/mime\", \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"" 140 type: string 141 enum: 142 - signing 143 - digital signature 144 - content commitment 145 - key encipherment 146 - key agreement 147 - data encipherment 148 - cert sign 149 - crl sign 150 - encipher only 151 - decipher only 152 - any 153 - server auth 154 - client auth 155 - code signing 156 - email protection 157 - s/mime 158 - ipsec end system 159 - ipsec tunnel 160 - ipsec user 161 - timestamping 162 - ocsp signing 163 - microsoft sgc 164 - netscape sgc 165 username: 166 description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. 167 type: string 168 status: 169 description: Status of the CertificateRequest. This is set and managed automatically. 170 type: object 171 properties: 172 ca: 173 description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available. 174 type: string 175 format: byte 176 certificate: 177 description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field. 178 type: string 179 format: byte 180 conditions: 181 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`. 182 type: array 183 items: 184 description: CertificateRequestCondition contains condition information for a CertificateRequest. 185 type: object 186 required: 187 - status 188 - type 189 properties: 190 lastTransitionTime: 191 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. 192 type: string 193 format: date-time 194 message: 195 description: Message is a human readable description of the details of the last transition, complementing reason. 196 type: string 197 reason: 198 description: Reason is a brief machine readable explanation for the condition's last transition. 199 type: string 200 status: 201 description: Status of the condition, one of (`True`, `False`, `Unknown`). 202 type: string 203 enum: 204 - "True" 205 - "False" 206 - Unknown 207 type: 208 description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`). 209 type: string 210 x-kubernetes-list-map-keys: 211 - type 212 x-kubernetes-list-type: map 213 failureTime: 214 description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off. 215 type: string 216 format: date-time 217 served: true 218 storage: true 219 --- 220 # Source: cert-manager/templates/crds.yaml 221 apiVersion: apiextensions.k8s.io/v1 222 kind: CustomResourceDefinition 223 metadata: 224 name: certificates.cert-manager.io 225 labels: 226 app: 'cert-manager' 227 app.kubernetes.io/name: 'cert-manager' 228 app.kubernetes.io/instance: 'cert-manager' 229 # Generated labels 230 app.kubernetes.io/version: "v1.12.3" 231 spec: 232 group: cert-manager.io 233 names: 234 kind: Certificate 235 listKind: CertificateList 236 plural: certificates 237 shortNames: 238 - cert 239 - certs 240 singular: certificate 241 categories: 242 - cert-manager 243 scope: Namespaced 244 versions: 245 - name: v1 246 subresources: 247 status: {} 248 additionalPrinterColumns: 249 - jsonPath: .status.conditions[?(@.type=="Ready")].status 250 name: Ready 251 type: string 252 - jsonPath: .spec.secretName 253 name: Secret 254 type: string 255 - jsonPath: .spec.issuerRef.name 256 name: Issuer 257 priority: 1 258 type: string 259 - jsonPath: .status.conditions[?(@.type=="Ready")].message 260 name: Status 261 priority: 1 262 type: string 263 - jsonPath: .metadata.creationTimestamp 264 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 265 name: Age 266 type: date 267 schema: 268 openAPIV3Schema: 269 description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)." 270 type: object 271 required: 272 - spec 273 properties: 274 apiVersion: 275 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 276 type: string 277 kind: 278 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 279 type: string 280 metadata: 281 type: object 282 spec: 283 description: Desired state of the Certificate resource. 284 type: object 285 required: 286 - issuerRef 287 - secretName 288 properties: 289 additionalOutputFormats: 290 description: AdditionalOutputFormats defines extra output formats of the private key and signed certificate chain to be written to this Certificate's target Secret. This is an Alpha Feature and is only enabled with the `--feature-gates=AdditionalCertificateOutputFormats=true` option on both the controller and webhook components. 291 type: array 292 items: 293 description: CertificateAdditionalOutputFormat defines an additional output format of a Certificate resource. These contain supplementary data formats of the signed certificate chain and paired private key. 294 type: object 295 required: 296 - type 297 properties: 298 type: 299 description: Type is the name of the format type that should be written to the Certificate's target Secret. 300 type: string 301 enum: 302 - DER 303 - CombinedPEM 304 commonName: 305 description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' 306 type: string 307 dnsNames: 308 description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate. 309 type: array 310 items: 311 type: string 312 duration: 313 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration 314 type: string 315 emailAddresses: 316 description: EmailAddresses is a list of email subjectAltNames to be set on the Certificate. 317 type: array 318 items: 319 type: string 320 encodeUsagesInRequest: 321 description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest 322 type: boolean 323 ipAddresses: 324 description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate. 325 type: array 326 items: 327 type: string 328 isCA: 329 description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`. 330 type: boolean 331 issuerRef: 332 description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. 333 type: object 334 required: 335 - name 336 properties: 337 group: 338 description: Group of the resource being referred to. 339 type: string 340 kind: 341 description: Kind of the resource being referred to. 342 type: string 343 name: 344 description: Name of the resource being referred to. 345 type: string 346 keystores: 347 description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource. 348 type: object 349 properties: 350 jks: 351 description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource. 352 type: object 353 required: 354 - create 355 - passwordSecretRef 356 properties: 357 create: 358 description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will be updated immediately. If the issuer provided a CA certificate, a file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority 359 type: boolean 360 passwordSecretRef: 361 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore. 362 type: object 363 required: 364 - name 365 properties: 366 key: 367 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 368 type: string 369 name: 370 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 371 type: string 372 pkcs12: 373 description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource. 374 type: object 375 required: 376 - create 377 - passwordSecretRef 378 properties: 379 create: 380 description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will be updated immediately. If the issuer provided a CA certificate, a file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority 381 type: boolean 382 passwordSecretRef: 383 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore. 384 type: object 385 required: 386 - name 387 properties: 388 key: 389 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 390 type: string 391 name: 392 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 393 type: string 394 literalSubject: 395 description: LiteralSubject is an LDAP formatted string that represents the [X.509 Subject field](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6). Use this *instead* of the Subject field if you need to ensure the correct ordering of the RDN sequence, such as when issuing certs for LDAP authentication. See https://github.com/cert-manager/cert-manager/issues/3203, https://github.com/cert-manager/cert-manager/issues/4424. This field is alpha level and is only supported by cert-manager installations where LiteralCertificateSubject feature gate is enabled on both cert-manager controller and webhook. 396 type: string 397 privateKey: 398 description: Options to control private keys used for the Certificate. 399 type: object 400 properties: 401 algorithm: 402 description: Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified and `size` is not provided, key size of 256 will be used for `ECDSA` key algorithm and key size of 2048 will be used for `RSA` key algorithm. key size is ignored when using the `Ed25519` key algorithm. 403 type: string 404 enum: 405 - RSA 406 - ECDSA 407 - Ed25519 408 encoding: 409 description: The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified. 410 type: string 411 enum: 412 - PKCS1 413 - PKCS8 414 rotationPolicy: 415 description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility. 416 type: string 417 enum: 418 - Never 419 - Always 420 size: 421 description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed. 422 type: integer 423 renewBefore: 424 description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration 425 type: string 426 revisionHistoryLimit: 427 description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`. 428 type: integer 429 format: int32 430 secretName: 431 description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer. 432 type: string 433 secretTemplate: 434 description: SecretTemplate defines annotations and labels to be copied to the Certificate's Secret. Labels and annotations on the Secret will be changed as they appear on the SecretTemplate when added or removed. SecretTemplate annotations are added in conjunction with, and cannot overwrite, the base set of annotations cert-manager sets on the Certificate's Secret. 435 type: object 436 properties: 437 annotations: 438 description: Annotations is a key value map to be copied to the target Kubernetes Secret. 439 type: object 440 additionalProperties: 441 type: string 442 labels: 443 description: Labels is a key value map to be copied to the target Kubernetes Secret. 444 type: object 445 additionalProperties: 446 type: string 447 subject: 448 description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). 449 type: object 450 properties: 451 countries: 452 description: Countries to be used on the Certificate. 453 type: array 454 items: 455 type: string 456 localities: 457 description: Cities to be used on the Certificate. 458 type: array 459 items: 460 type: string 461 organizationalUnits: 462 description: Organizational Units to be used on the Certificate. 463 type: array 464 items: 465 type: string 466 organizations: 467 description: Organizations to be used on the Certificate. 468 type: array 469 items: 470 type: string 471 postalCodes: 472 description: Postal codes to be used on the Certificate. 473 type: array 474 items: 475 type: string 476 provinces: 477 description: State/Provinces to be used on the Certificate. 478 type: array 479 items: 480 type: string 481 serialNumber: 482 description: Serial number to be used on the Certificate. 483 type: string 484 streetAddresses: 485 description: Street addresses to be used on the Certificate. 486 type: array 487 items: 488 type: string 489 uris: 490 description: URIs is a list of URI subjectAltNames to be set on the Certificate. 491 type: array 492 items: 493 type: string 494 usages: 495 description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified. 496 type: array 497 items: 498 description: "KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 \n Valid KeyUsage values are as follows: \"signing\", \"digital signature\", \"content commitment\", \"key encipherment\", \"key agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", \"encipher only\", \"decipher only\", \"any\", \"server auth\", \"client auth\", \"code signing\", \"email protection\", \"s/mime\", \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"" 499 type: string 500 enum: 501 - signing 502 - digital signature 503 - content commitment 504 - key encipherment 505 - key agreement 506 - data encipherment 507 - cert sign 508 - crl sign 509 - encipher only 510 - decipher only 511 - any 512 - server auth 513 - client auth 514 - code signing 515 - email protection 516 - s/mime 517 - ipsec end system 518 - ipsec tunnel 519 - ipsec user 520 - timestamping 521 - ocsp signing 522 - microsoft sgc 523 - netscape sgc 524 status: 525 description: Status of the Certificate. This is set and managed automatically. 526 type: object 527 properties: 528 conditions: 529 description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`. 530 type: array 531 items: 532 description: CertificateCondition contains condition information for an Certificate. 533 type: object 534 required: 535 - status 536 - type 537 properties: 538 lastTransitionTime: 539 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. 540 type: string 541 format: date-time 542 message: 543 description: Message is a human readable description of the details of the last transition, complementing reason. 544 type: string 545 observedGeneration: 546 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate. 547 type: integer 548 format: int64 549 reason: 550 description: Reason is a brief machine readable explanation for the condition's last transition. 551 type: string 552 status: 553 description: Status of the condition, one of (`True`, `False`, `Unknown`). 554 type: string 555 enum: 556 - "True" 557 - "False" 558 - Unknown 559 type: 560 description: Type of the condition, known values are (`Ready`, `Issuing`). 561 type: string 562 x-kubernetes-list-map-keys: 563 - type 564 x-kubernetes-list-type: map 565 failedIssuanceAttempts: 566 description: The number of continuous failed issuance attempts up till now. This field gets removed (if set) on a successful issuance and gets set to 1 if unset and an issuance has failed. If an issuance has failed, the delay till the next issuance will be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1). 567 type: integer 568 lastFailureTime: 569 description: LastFailureTime is set only if the lastest issuance for this Certificate failed and contains the time of the failure. If an issuance has failed, the delay till the next issuance will be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1). If the latest issuance has succeeded this field will be unset. 570 type: string 571 format: date-time 572 nextPrivateKeySecretName: 573 description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False. 574 type: string 575 notAfter: 576 description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`. 577 type: string 578 format: date-time 579 notBefore: 580 description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid. 581 type: string 582 format: date-time 583 renewalTime: 584 description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled. 585 type: string 586 format: date-time 587 revision: 588 description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field." 589 type: integer 590 served: true 591 storage: true 592 --- 593 # Source: cert-manager/templates/crds.yaml 594 apiVersion: apiextensions.k8s.io/v1 595 kind: CustomResourceDefinition 596 metadata: 597 name: challenges.acme.cert-manager.io 598 labels: 599 app: 'cert-manager' 600 app.kubernetes.io/name: 'cert-manager' 601 app.kubernetes.io/instance: 'cert-manager' 602 # Generated labels 603 app.kubernetes.io/version: "v1.12.3" 604 spec: 605 group: acme.cert-manager.io 606 names: 607 kind: Challenge 608 listKind: ChallengeList 609 plural: challenges 610 singular: challenge 611 categories: 612 - cert-manager 613 - cert-manager-acme 614 scope: Namespaced 615 versions: 616 - additionalPrinterColumns: 617 - jsonPath: .status.state 618 name: State 619 type: string 620 - jsonPath: .spec.dnsName 621 name: Domain 622 type: string 623 - jsonPath: .status.reason 624 name: Reason 625 priority: 1 626 type: string 627 - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 628 jsonPath: .metadata.creationTimestamp 629 name: Age 630 type: date 631 name: v1 632 schema: 633 openAPIV3Schema: 634 description: Challenge is a type to represent a Challenge request with an ACME server 635 type: object 636 required: 637 - metadata 638 - spec 639 properties: 640 apiVersion: 641 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 642 type: string 643 kind: 644 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 645 type: string 646 metadata: 647 type: object 648 spec: 649 type: object 650 required: 651 - authorizationURL 652 - dnsName 653 - issuerRef 654 - key 655 - solver 656 - token 657 - type 658 - url 659 properties: 660 authorizationURL: 661 description: The URL to the ACME Authorization resource that this challenge is a part of. 662 type: string 663 dnsName: 664 description: dnsName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`. 665 type: string 666 issuerRef: 667 description: References a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed. 668 type: object 669 required: 670 - name 671 properties: 672 group: 673 description: Group of the resource being referred to. 674 type: string 675 kind: 676 description: Kind of the resource being referred to. 677 type: string 678 name: 679 description: Name of the resource being referred to. 680 type: string 681 key: 682 description: 'The ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key from acme server for challenge>`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key from acme server for challenge>` text that must be set as the TXT record content.' 683 type: string 684 solver: 685 description: Contains the domain solving configuration that should be used to solve this challenge resource. 686 type: object 687 properties: 688 dns01: 689 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. 690 type: object 691 properties: 692 acmeDNS: 693 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. 694 type: object 695 required: 696 - accountSecretRef 697 - host 698 properties: 699 accountSecretRef: 700 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 701 type: object 702 required: 703 - name 704 properties: 705 key: 706 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 707 type: string 708 name: 709 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 710 type: string 711 host: 712 type: string 713 akamai: 714 description: Use the Akamai DNS zone management API to manage DNS01 challenge records. 715 type: object 716 required: 717 - accessTokenSecretRef 718 - clientSecretSecretRef 719 - clientTokenSecretRef 720 - serviceConsumerDomain 721 properties: 722 accessTokenSecretRef: 723 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 724 type: object 725 required: 726 - name 727 properties: 728 key: 729 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 730 type: string 731 name: 732 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 733 type: string 734 clientSecretSecretRef: 735 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 736 type: object 737 required: 738 - name 739 properties: 740 key: 741 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 742 type: string 743 name: 744 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 745 type: string 746 clientTokenSecretRef: 747 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 748 type: object 749 required: 750 - name 751 properties: 752 key: 753 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 754 type: string 755 name: 756 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 757 type: string 758 serviceConsumerDomain: 759 type: string 760 azureDNS: 761 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. 762 type: object 763 required: 764 - resourceGroupName 765 - subscriptionID 766 properties: 767 clientID: 768 description: if both this and ClientSecret are left unset MSI will be used 769 type: string 770 clientSecretSecretRef: 771 description: if both this and ClientID are left unset MSI will be used 772 type: object 773 required: 774 - name 775 properties: 776 key: 777 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 778 type: string 779 name: 780 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 781 type: string 782 environment: 783 description: name of the Azure environment (default AzurePublicCloud) 784 type: string 785 enum: 786 - AzurePublicCloud 787 - AzureChinaCloud 788 - AzureGermanCloud 789 - AzureUSGovernmentCloud 790 hostedZoneName: 791 description: name of the DNS zone that should be used 792 type: string 793 managedIdentity: 794 description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID 795 type: object 796 properties: 797 clientID: 798 description: client ID of the managed identity, can not be used at the same time as resourceID 799 type: string 800 resourceID: 801 description: resource ID of the managed identity, can not be used at the same time as clientID 802 type: string 803 resourceGroupName: 804 description: resource group the DNS zone is located in 805 type: string 806 subscriptionID: 807 description: ID of the Azure subscription 808 type: string 809 tenantID: 810 description: when specifying ClientID and ClientSecret then this field is also needed 811 type: string 812 cloudDNS: 813 description: Use the Google Cloud DNS API to manage DNS01 challenge records. 814 type: object 815 required: 816 - project 817 properties: 818 hostedZoneName: 819 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. 820 type: string 821 project: 822 type: string 823 serviceAccountSecretRef: 824 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 825 type: object 826 required: 827 - name 828 properties: 829 key: 830 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 831 type: string 832 name: 833 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 834 type: string 835 cloudflare: 836 description: Use the Cloudflare API to manage DNS01 challenge records. 837 type: object 838 properties: 839 apiKeySecretRef: 840 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' 841 type: object 842 required: 843 - name 844 properties: 845 key: 846 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 847 type: string 848 name: 849 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 850 type: string 851 apiTokenSecretRef: 852 description: API token used to authenticate with Cloudflare. 853 type: object 854 required: 855 - name 856 properties: 857 key: 858 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 859 type: string 860 name: 861 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 862 type: string 863 email: 864 description: Email of the account, only required when using API key based authentication. 865 type: string 866 cnameStrategy: 867 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. 868 type: string 869 enum: 870 - None 871 - Follow 872 digitalocean: 873 description: Use the DigitalOcean DNS API to manage DNS01 challenge records. 874 type: object 875 required: 876 - tokenSecretRef 877 properties: 878 tokenSecretRef: 879 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 880 type: object 881 required: 882 - name 883 properties: 884 key: 885 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 886 type: string 887 name: 888 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 889 type: string 890 rfc2136: 891 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. 892 type: object 893 required: 894 - nameserver 895 properties: 896 nameserver: 897 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required. 898 type: string 899 tsigAlgorithm: 900 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' 901 type: string 902 tsigKeyName: 903 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. 904 type: string 905 tsigSecretSecretRef: 906 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. 907 type: object 908 required: 909 - name 910 properties: 911 key: 912 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 913 type: string 914 name: 915 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 916 type: string 917 route53: 918 description: Use the AWS Route53 API to manage DNS01 challenge records. 919 type: object 920 required: 921 - region 922 properties: 923 accessKeyID: 924 description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' 925 type: string 926 accessKeyIDSecretRef: 927 description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' 928 type: object 929 required: 930 - name 931 properties: 932 key: 933 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 934 type: string 935 name: 936 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 937 type: string 938 hostedZoneID: 939 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. 940 type: string 941 region: 942 description: Always set the region when using AccessKeyID and SecretAccessKey 943 type: string 944 role: 945 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata 946 type: string 947 secretAccessKeySecretRef: 948 description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' 949 type: object 950 required: 951 - name 952 properties: 953 key: 954 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 955 type: string 956 name: 957 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 958 type: string 959 webhook: 960 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. 961 type: object 962 required: 963 - groupName 964 - solverName 965 properties: 966 config: 967 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. 968 x-kubernetes-preserve-unknown-fields: true 969 groupName: 970 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. 971 type: string 972 solverName: 973 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. 974 type: string 975 http01: 976 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. 977 type: object 978 properties: 979 gatewayHTTPRoute: 980 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. 981 type: object 982 properties: 983 labels: 984 description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges. 985 type: object 986 additionalProperties: 987 type: string 988 parentRefs: 989 description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways' 990 type: array 991 items: 992 description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." 993 type: object 994 required: 995 - name 996 properties: 997 group: 998 description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" 999 type: string 1000 default: gateway.networking.k8s.io 1001 maxLength: 253 1002 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 1003 kind: 1004 description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" 1005 type: string 1006 default: Gateway 1007 maxLength: 63 1008 minLength: 1 1009 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 1010 name: 1011 description: "Name is the name of the referent. \n Support: Core" 1012 type: string 1013 maxLength: 253 1014 minLength: 1 1015 namespace: 1016 description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" 1017 type: string 1018 maxLength: 63 1019 minLength: 1 1020 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 1021 port: 1022 description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n <gateway:experimental>" 1023 type: integer 1024 format: int32 1025 maximum: 65535 1026 minimum: 1 1027 sectionName: 1028 description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" 1029 type: string 1030 maxLength: 253 1031 minLength: 1 1032 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 1033 serviceType: 1034 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. 1035 type: string 1036 ingress: 1037 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. 1038 type: object 1039 properties: 1040 class: 1041 description: This field configures the annotation `kubernetes.io/ingress.class` when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of `class`, `name` or `ingressClassName` may be specified. 1042 type: string 1043 ingressClassName: 1044 description: This field configures the field `ingressClassName` on the created Ingress resources used to solve ACME challenges that use this challenge solver. This is the recommended way of configuring the ingress class. Only one of `class`, `name` or `ingressClassName` may be specified. 1045 type: string 1046 ingressTemplate: 1047 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. 1048 type: object 1049 properties: 1050 metadata: 1051 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. 1052 type: object 1053 properties: 1054 annotations: 1055 description: Annotations that should be added to the created ACME HTTP01 solver ingress. 1056 type: object 1057 additionalProperties: 1058 type: string 1059 labels: 1060 description: Labels that should be added to the created ACME HTTP01 solver ingress. 1061 type: object 1062 additionalProperties: 1063 type: string 1064 name: 1065 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. Only one of `class`, `name` or `ingressClassName` may be specified. 1066 type: string 1067 podTemplate: 1068 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. 1069 type: object 1070 properties: 1071 metadata: 1072 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. 1073 type: object 1074 properties: 1075 annotations: 1076 description: Annotations that should be added to the create ACME HTTP01 solver pods. 1077 type: object 1078 additionalProperties: 1079 type: string 1080 labels: 1081 description: Labels that should be added to the created ACME HTTP01 solver pods. 1082 type: object 1083 additionalProperties: 1084 type: string 1085 spec: 1086 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. All other fields will be ignored. 1087 type: object 1088 properties: 1089 affinity: 1090 description: If specified, the pod's scheduling constraints 1091 type: object 1092 properties: 1093 nodeAffinity: 1094 description: Describes node affinity scheduling rules for the pod. 1095 type: object 1096 properties: 1097 preferredDuringSchedulingIgnoredDuringExecution: 1098 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. 1099 type: array 1100 items: 1101 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). 1102 type: object 1103 required: 1104 - preference 1105 - weight 1106 properties: 1107 preference: 1108 description: A node selector term, associated with the corresponding weight. 1109 type: object 1110 properties: 1111 matchExpressions: 1112 description: A list of node selector requirements by node's labels. 1113 type: array 1114 items: 1115 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1116 type: object 1117 required: 1118 - key 1119 - operator 1120 properties: 1121 key: 1122 description: The label key that the selector applies to. 1123 type: string 1124 operator: 1125 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 1126 type: string 1127 values: 1128 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 1129 type: array 1130 items: 1131 type: string 1132 matchFields: 1133 description: A list of node selector requirements by node's fields. 1134 type: array 1135 items: 1136 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1137 type: object 1138 required: 1139 - key 1140 - operator 1141 properties: 1142 key: 1143 description: The label key that the selector applies to. 1144 type: string 1145 operator: 1146 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 1147 type: string 1148 values: 1149 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 1150 type: array 1151 items: 1152 type: string 1153 x-kubernetes-map-type: atomic 1154 weight: 1155 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. 1156 type: integer 1157 format: int32 1158 requiredDuringSchedulingIgnoredDuringExecution: 1159 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. 1160 type: object 1161 required: 1162 - nodeSelectorTerms 1163 properties: 1164 nodeSelectorTerms: 1165 description: Required. A list of node selector terms. The terms are ORed. 1166 type: array 1167 items: 1168 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. 1169 type: object 1170 properties: 1171 matchExpressions: 1172 description: A list of node selector requirements by node's labels. 1173 type: array 1174 items: 1175 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1176 type: object 1177 required: 1178 - key 1179 - operator 1180 properties: 1181 key: 1182 description: The label key that the selector applies to. 1183 type: string 1184 operator: 1185 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 1186 type: string 1187 values: 1188 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 1189 type: array 1190 items: 1191 type: string 1192 matchFields: 1193 description: A list of node selector requirements by node's fields. 1194 type: array 1195 items: 1196 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1197 type: object 1198 required: 1199 - key 1200 - operator 1201 properties: 1202 key: 1203 description: The label key that the selector applies to. 1204 type: string 1205 operator: 1206 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 1207 type: string 1208 values: 1209 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 1210 type: array 1211 items: 1212 type: string 1213 x-kubernetes-map-type: atomic 1214 x-kubernetes-map-type: atomic 1215 podAffinity: 1216 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). 1217 type: object 1218 properties: 1219 preferredDuringSchedulingIgnoredDuringExecution: 1220 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. 1221 type: array 1222 items: 1223 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 1224 type: object 1225 required: 1226 - podAffinityTerm 1227 - weight 1228 properties: 1229 podAffinityTerm: 1230 description: Required. A pod affinity term, associated with the corresponding weight. 1231 type: object 1232 required: 1233 - topologyKey 1234 properties: 1235 labelSelector: 1236 description: A label query over a set of resources, in this case pods. 1237 type: object 1238 properties: 1239 matchExpressions: 1240 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 1241 type: array 1242 items: 1243 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1244 type: object 1245 required: 1246 - key 1247 - operator 1248 properties: 1249 key: 1250 description: key is the label key that the selector applies to. 1251 type: string 1252 operator: 1253 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 1254 type: string 1255 values: 1256 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 1257 type: array 1258 items: 1259 type: string 1260 matchLabels: 1261 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 1262 type: object 1263 additionalProperties: 1264 type: string 1265 x-kubernetes-map-type: atomic 1266 namespaceSelector: 1267 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. 1268 type: object 1269 properties: 1270 matchExpressions: 1271 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 1272 type: array 1273 items: 1274 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1275 type: object 1276 required: 1277 - key 1278 - operator 1279 properties: 1280 key: 1281 description: key is the label key that the selector applies to. 1282 type: string 1283 operator: 1284 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 1285 type: string 1286 values: 1287 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 1288 type: array 1289 items: 1290 type: string 1291 matchLabels: 1292 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 1293 type: object 1294 additionalProperties: 1295 type: string 1296 x-kubernetes-map-type: atomic 1297 namespaces: 1298 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". 1299 type: array 1300 items: 1301 type: string 1302 topologyKey: 1303 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 1304 type: string 1305 weight: 1306 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. 1307 type: integer 1308 format: int32 1309 requiredDuringSchedulingIgnoredDuringExecution: 1310 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. 1311 type: array 1312 items: 1313 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running 1314 type: object 1315 required: 1316 - topologyKey 1317 properties: 1318 labelSelector: 1319 description: A label query over a set of resources, in this case pods. 1320 type: object 1321 properties: 1322 matchExpressions: 1323 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 1324 type: array 1325 items: 1326 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1327 type: object 1328 required: 1329 - key 1330 - operator 1331 properties: 1332 key: 1333 description: key is the label key that the selector applies to. 1334 type: string 1335 operator: 1336 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 1337 type: string 1338 values: 1339 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 1340 type: array 1341 items: 1342 type: string 1343 matchLabels: 1344 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 1345 type: object 1346 additionalProperties: 1347 type: string 1348 x-kubernetes-map-type: atomic 1349 namespaceSelector: 1350 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. 1351 type: object 1352 properties: 1353 matchExpressions: 1354 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 1355 type: array 1356 items: 1357 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1358 type: object 1359 required: 1360 - key 1361 - operator 1362 properties: 1363 key: 1364 description: key is the label key that the selector applies to. 1365 type: string 1366 operator: 1367 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 1368 type: string 1369 values: 1370 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 1371 type: array 1372 items: 1373 type: string 1374 matchLabels: 1375 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 1376 type: object 1377 additionalProperties: 1378 type: string 1379 x-kubernetes-map-type: atomic 1380 namespaces: 1381 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". 1382 type: array 1383 items: 1384 type: string 1385 topologyKey: 1386 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 1387 type: string 1388 podAntiAffinity: 1389 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). 1390 type: object 1391 properties: 1392 preferredDuringSchedulingIgnoredDuringExecution: 1393 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. 1394 type: array 1395 items: 1396 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 1397 type: object 1398 required: 1399 - podAffinityTerm 1400 - weight 1401 properties: 1402 podAffinityTerm: 1403 description: Required. A pod affinity term, associated with the corresponding weight. 1404 type: object 1405 required: 1406 - topologyKey 1407 properties: 1408 labelSelector: 1409 description: A label query over a set of resources, in this case pods. 1410 type: object 1411 properties: 1412 matchExpressions: 1413 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 1414 type: array 1415 items: 1416 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1417 type: object 1418 required: 1419 - key 1420 - operator 1421 properties: 1422 key: 1423 description: key is the label key that the selector applies to. 1424 type: string 1425 operator: 1426 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 1427 type: string 1428 values: 1429 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 1430 type: array 1431 items: 1432 type: string 1433 matchLabels: 1434 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 1435 type: object 1436 additionalProperties: 1437 type: string 1438 x-kubernetes-map-type: atomic 1439 namespaceSelector: 1440 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. 1441 type: object 1442 properties: 1443 matchExpressions: 1444 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 1445 type: array 1446 items: 1447 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1448 type: object 1449 required: 1450 - key 1451 - operator 1452 properties: 1453 key: 1454 description: key is the label key that the selector applies to. 1455 type: string 1456 operator: 1457 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 1458 type: string 1459 values: 1460 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 1461 type: array 1462 items: 1463 type: string 1464 matchLabels: 1465 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 1466 type: object 1467 additionalProperties: 1468 type: string 1469 x-kubernetes-map-type: atomic 1470 namespaces: 1471 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". 1472 type: array 1473 items: 1474 type: string 1475 topologyKey: 1476 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 1477 type: string 1478 weight: 1479 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. 1480 type: integer 1481 format: int32 1482 requiredDuringSchedulingIgnoredDuringExecution: 1483 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. 1484 type: array 1485 items: 1486 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running 1487 type: object 1488 required: 1489 - topologyKey 1490 properties: 1491 labelSelector: 1492 description: A label query over a set of resources, in this case pods. 1493 type: object 1494 properties: 1495 matchExpressions: 1496 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 1497 type: array 1498 items: 1499 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1500 type: object 1501 required: 1502 - key 1503 - operator 1504 properties: 1505 key: 1506 description: key is the label key that the selector applies to. 1507 type: string 1508 operator: 1509 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 1510 type: string 1511 values: 1512 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 1513 type: array 1514 items: 1515 type: string 1516 matchLabels: 1517 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 1518 type: object 1519 additionalProperties: 1520 type: string 1521 x-kubernetes-map-type: atomic 1522 namespaceSelector: 1523 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. 1524 type: object 1525 properties: 1526 matchExpressions: 1527 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 1528 type: array 1529 items: 1530 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1531 type: object 1532 required: 1533 - key 1534 - operator 1535 properties: 1536 key: 1537 description: key is the label key that the selector applies to. 1538 type: string 1539 operator: 1540 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 1541 type: string 1542 values: 1543 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 1544 type: array 1545 items: 1546 type: string 1547 matchLabels: 1548 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 1549 type: object 1550 additionalProperties: 1551 type: string 1552 x-kubernetes-map-type: atomic 1553 namespaces: 1554 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". 1555 type: array 1556 items: 1557 type: string 1558 topologyKey: 1559 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 1560 type: string 1561 imagePullSecrets: 1562 description: If specified, the pod's imagePullSecrets 1563 type: array 1564 items: 1565 description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. 1566 type: object 1567 properties: 1568 name: 1569 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' 1570 type: string 1571 x-kubernetes-map-type: atomic 1572 nodeSelector: 1573 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' 1574 type: object 1575 additionalProperties: 1576 type: string 1577 priorityClassName: 1578 description: If specified, the pod's priorityClassName. 1579 type: string 1580 serviceAccountName: 1581 description: If specified, the pod's service account 1582 type: string 1583 tolerations: 1584 description: If specified, the pod's tolerations. 1585 type: array 1586 items: 1587 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>. 1588 type: object 1589 properties: 1590 effect: 1591 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. 1592 type: string 1593 key: 1594 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. 1595 type: string 1596 operator: 1597 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. 1598 type: string 1599 tolerationSeconds: 1600 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. 1601 type: integer 1602 format: int64 1603 value: 1604 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. 1605 type: string 1606 serviceType: 1607 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. 1608 type: string 1609 selector: 1610 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. 1611 type: object 1612 properties: 1613 dnsNames: 1614 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. 1615 type: array 1616 items: 1617 type: string 1618 dnsZones: 1619 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. 1620 type: array 1621 items: 1622 type: string 1623 matchLabels: 1624 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. 1625 type: object 1626 additionalProperties: 1627 type: string 1628 token: 1629 description: The ACME challenge token for this challenge. This is the raw value returned from the ACME server. 1630 type: string 1631 type: 1632 description: The type of ACME challenge this resource represents. One of "HTTP-01" or "DNS-01". 1633 type: string 1634 enum: 1635 - HTTP-01 1636 - DNS-01 1637 url: 1638 description: The URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge. 1639 type: string 1640 wildcard: 1641 description: wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'. 1642 type: boolean 1643 status: 1644 type: object 1645 properties: 1646 presented: 1647 description: presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured). 1648 type: boolean 1649 processing: 1650 description: Used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action. 1651 type: boolean 1652 reason: 1653 description: Contains human readable information on why the Challenge is in the current state. 1654 type: string 1655 state: 1656 description: Contains the current 'state' of the challenge. If not set, the state of the challenge is unknown. 1657 type: string 1658 enum: 1659 - valid 1660 - ready 1661 - pending 1662 - processing 1663 - invalid 1664 - expired 1665 - errored 1666 served: true 1667 storage: true 1668 subresources: 1669 status: {} 1670 --- 1671 # Source: cert-manager/templates/crds.yaml 1672 apiVersion: apiextensions.k8s.io/v1 1673 kind: CustomResourceDefinition 1674 metadata: 1675 name: clusterissuers.cert-manager.io 1676 labels: 1677 app: 'cert-manager' 1678 app.kubernetes.io/name: 'cert-manager' 1679 app.kubernetes.io/instance: "cert-manager" 1680 # Generated labels 1681 app.kubernetes.io/version: "v1.12.3" 1682 spec: 1683 group: cert-manager.io 1684 names: 1685 kind: ClusterIssuer 1686 listKind: ClusterIssuerList 1687 plural: clusterissuers 1688 singular: clusterissuer 1689 categories: 1690 - cert-manager 1691 scope: Cluster 1692 versions: 1693 - name: v1 1694 subresources: 1695 status: {} 1696 additionalPrinterColumns: 1697 - jsonPath: .status.conditions[?(@.type=="Ready")].status 1698 name: Ready 1699 type: string 1700 - jsonPath: .status.conditions[?(@.type=="Ready")].message 1701 name: Status 1702 priority: 1 1703 type: string 1704 - jsonPath: .metadata.creationTimestamp 1705 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 1706 name: Age 1707 type: date 1708 schema: 1709 openAPIV3Schema: 1710 description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent. 1711 type: object 1712 required: 1713 - spec 1714 properties: 1715 apiVersion: 1716 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 1717 type: string 1718 kind: 1719 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 1720 type: string 1721 metadata: 1722 type: object 1723 spec: 1724 description: Desired state of the ClusterIssuer resource. 1725 type: object 1726 properties: 1727 acme: 1728 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates. 1729 type: object 1730 required: 1731 - privateKeySecretRef 1732 - server 1733 properties: 1734 caBundle: 1735 description: Base64-encoded bundle of PEM CAs which can be used to validate the certificate chain presented by the ACME server. Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various kinds of security vulnerabilities. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. 1736 type: string 1737 format: byte 1738 disableAccountKeyGeneration: 1739 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false. 1740 type: boolean 1741 email: 1742 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. 1743 type: string 1744 enableDurationFeature: 1745 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. 1746 type: boolean 1747 externalAccountBinding: 1748 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. 1749 type: object 1750 required: 1751 - keyID 1752 - keySecretRef 1753 properties: 1754 keyAlgorithm: 1755 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.' 1756 type: string 1757 enum: 1758 - HS256 1759 - HS384 1760 - HS512 1761 keyID: 1762 description: keyID is the ID of the CA key that the External Account is bound to. 1763 type: string 1764 keySecretRef: 1765 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data. 1766 type: object 1767 required: 1768 - name 1769 properties: 1770 key: 1771 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1772 type: string 1773 name: 1774 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1775 type: string 1776 preferredChain: 1777 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN' 1778 type: string 1779 maxLength: 64 1780 privateKeySecretRef: 1781 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used. 1782 type: object 1783 required: 1784 - name 1785 properties: 1786 key: 1787 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1788 type: string 1789 name: 1790 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1791 type: string 1792 server: 1793 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' 1794 type: string 1795 skipTLSVerify: 1796 description: 'INSECURE: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have the TLS certificate chain validated. Mutually exclusive with CABundle; prefer using CABundle to prevent various kinds of security vulnerabilities. Only enable this option in development environments. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. Defaults to false.' 1797 type: boolean 1798 solvers: 1799 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' 1800 type: array 1801 items: 1802 description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided. 1803 type: object 1804 properties: 1805 dns01: 1806 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. 1807 type: object 1808 properties: 1809 acmeDNS: 1810 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. 1811 type: object 1812 required: 1813 - accountSecretRef 1814 - host 1815 properties: 1816 accountSecretRef: 1817 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 1818 type: object 1819 required: 1820 - name 1821 properties: 1822 key: 1823 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1824 type: string 1825 name: 1826 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1827 type: string 1828 host: 1829 type: string 1830 akamai: 1831 description: Use the Akamai DNS zone management API to manage DNS01 challenge records. 1832 type: object 1833 required: 1834 - accessTokenSecretRef 1835 - clientSecretSecretRef 1836 - clientTokenSecretRef 1837 - serviceConsumerDomain 1838 properties: 1839 accessTokenSecretRef: 1840 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 1841 type: object 1842 required: 1843 - name 1844 properties: 1845 key: 1846 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1847 type: string 1848 name: 1849 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1850 type: string 1851 clientSecretSecretRef: 1852 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 1853 type: object 1854 required: 1855 - name 1856 properties: 1857 key: 1858 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1859 type: string 1860 name: 1861 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1862 type: string 1863 clientTokenSecretRef: 1864 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 1865 type: object 1866 required: 1867 - name 1868 properties: 1869 key: 1870 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1871 type: string 1872 name: 1873 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1874 type: string 1875 serviceConsumerDomain: 1876 type: string 1877 azureDNS: 1878 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. 1879 type: object 1880 required: 1881 - resourceGroupName 1882 - subscriptionID 1883 properties: 1884 clientID: 1885 description: if both this and ClientSecret are left unset MSI will be used 1886 type: string 1887 clientSecretSecretRef: 1888 description: if both this and ClientID are left unset MSI will be used 1889 type: object 1890 required: 1891 - name 1892 properties: 1893 key: 1894 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1895 type: string 1896 name: 1897 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1898 type: string 1899 environment: 1900 description: name of the Azure environment (default AzurePublicCloud) 1901 type: string 1902 enum: 1903 - AzurePublicCloud 1904 - AzureChinaCloud 1905 - AzureGermanCloud 1906 - AzureUSGovernmentCloud 1907 hostedZoneName: 1908 description: name of the DNS zone that should be used 1909 type: string 1910 managedIdentity: 1911 description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID 1912 type: object 1913 properties: 1914 clientID: 1915 description: client ID of the managed identity, can not be used at the same time as resourceID 1916 type: string 1917 resourceID: 1918 description: resource ID of the managed identity, can not be used at the same time as clientID 1919 type: string 1920 resourceGroupName: 1921 description: resource group the DNS zone is located in 1922 type: string 1923 subscriptionID: 1924 description: ID of the Azure subscription 1925 type: string 1926 tenantID: 1927 description: when specifying ClientID and ClientSecret then this field is also needed 1928 type: string 1929 cloudDNS: 1930 description: Use the Google Cloud DNS API to manage DNS01 challenge records. 1931 type: object 1932 required: 1933 - project 1934 properties: 1935 hostedZoneName: 1936 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. 1937 type: string 1938 project: 1939 type: string 1940 serviceAccountSecretRef: 1941 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 1942 type: object 1943 required: 1944 - name 1945 properties: 1946 key: 1947 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1948 type: string 1949 name: 1950 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1951 type: string 1952 cloudflare: 1953 description: Use the Cloudflare API to manage DNS01 challenge records. 1954 type: object 1955 properties: 1956 apiKeySecretRef: 1957 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' 1958 type: object 1959 required: 1960 - name 1961 properties: 1962 key: 1963 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1964 type: string 1965 name: 1966 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1967 type: string 1968 apiTokenSecretRef: 1969 description: API token used to authenticate with Cloudflare. 1970 type: object 1971 required: 1972 - name 1973 properties: 1974 key: 1975 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1976 type: string 1977 name: 1978 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1979 type: string 1980 email: 1981 description: Email of the account, only required when using API key based authentication. 1982 type: string 1983 cnameStrategy: 1984 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. 1985 type: string 1986 enum: 1987 - None 1988 - Follow 1989 digitalocean: 1990 description: Use the DigitalOcean DNS API to manage DNS01 challenge records. 1991 type: object 1992 required: 1993 - tokenSecretRef 1994 properties: 1995 tokenSecretRef: 1996 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 1997 type: object 1998 required: 1999 - name 2000 properties: 2001 key: 2002 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 2003 type: string 2004 name: 2005 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 2006 type: string 2007 rfc2136: 2008 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. 2009 type: object 2010 required: 2011 - nameserver 2012 properties: 2013 nameserver: 2014 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required. 2015 type: string 2016 tsigAlgorithm: 2017 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' 2018 type: string 2019 tsigKeyName: 2020 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. 2021 type: string 2022 tsigSecretSecretRef: 2023 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. 2024 type: object 2025 required: 2026 - name 2027 properties: 2028 key: 2029 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 2030 type: string 2031 name: 2032 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 2033 type: string 2034 route53: 2035 description: Use the AWS Route53 API to manage DNS01 challenge records. 2036 type: object 2037 required: 2038 - region 2039 properties: 2040 accessKeyID: 2041 description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' 2042 type: string 2043 accessKeyIDSecretRef: 2044 description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' 2045 type: object 2046 required: 2047 - name 2048 properties: 2049 key: 2050 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 2051 type: string 2052 name: 2053 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 2054 type: string 2055 hostedZoneID: 2056 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. 2057 type: string 2058 region: 2059 description: Always set the region when using AccessKeyID and SecretAccessKey 2060 type: string 2061 role: 2062 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata 2063 type: string 2064 secretAccessKeySecretRef: 2065 description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' 2066 type: object 2067 required: 2068 - name 2069 properties: 2070 key: 2071 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 2072 type: string 2073 name: 2074 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 2075 type: string 2076 webhook: 2077 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. 2078 type: object 2079 required: 2080 - groupName 2081 - solverName 2082 properties: 2083 config: 2084 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. 2085 x-kubernetes-preserve-unknown-fields: true 2086 groupName: 2087 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. 2088 type: string 2089 solverName: 2090 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. 2091 type: string 2092 http01: 2093 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. 2094 type: object 2095 properties: 2096 gatewayHTTPRoute: 2097 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. 2098 type: object 2099 properties: 2100 labels: 2101 description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges. 2102 type: object 2103 additionalProperties: 2104 type: string 2105 parentRefs: 2106 description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways' 2107 type: array 2108 items: 2109 description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." 2110 type: object 2111 required: 2112 - name 2113 properties: 2114 group: 2115 description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" 2116 type: string 2117 default: gateway.networking.k8s.io 2118 maxLength: 253 2119 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 2120 kind: 2121 description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" 2122 type: string 2123 default: Gateway 2124 maxLength: 63 2125 minLength: 1 2126 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 2127 name: 2128 description: "Name is the name of the referent. \n Support: Core" 2129 type: string 2130 maxLength: 253 2131 minLength: 1 2132 namespace: 2133 description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" 2134 type: string 2135 maxLength: 63 2136 minLength: 1 2137 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 2138 port: 2139 description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n <gateway:experimental>" 2140 type: integer 2141 format: int32 2142 maximum: 65535 2143 minimum: 1 2144 sectionName: 2145 description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" 2146 type: string 2147 maxLength: 253 2148 minLength: 1 2149 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 2150 serviceType: 2151 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. 2152 type: string 2153 ingress: 2154 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. 2155 type: object 2156 properties: 2157 class: 2158 description: This field configures the annotation `kubernetes.io/ingress.class` when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of `class`, `name` or `ingressClassName` may be specified. 2159 type: string 2160 ingressClassName: 2161 description: This field configures the field `ingressClassName` on the created Ingress resources used to solve ACME challenges that use this challenge solver. This is the recommended way of configuring the ingress class. Only one of `class`, `name` or `ingressClassName` may be specified. 2162 type: string 2163 ingressTemplate: 2164 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. 2165 type: object 2166 properties: 2167 metadata: 2168 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. 2169 type: object 2170 properties: 2171 annotations: 2172 description: Annotations that should be added to the created ACME HTTP01 solver ingress. 2173 type: object 2174 additionalProperties: 2175 type: string 2176 labels: 2177 description: Labels that should be added to the created ACME HTTP01 solver ingress. 2178 type: object 2179 additionalProperties: 2180 type: string 2181 name: 2182 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. Only one of `class`, `name` or `ingressClassName` may be specified. 2183 type: string 2184 podTemplate: 2185 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. 2186 type: object 2187 properties: 2188 metadata: 2189 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. 2190 type: object 2191 properties: 2192 annotations: 2193 description: Annotations that should be added to the create ACME HTTP01 solver pods. 2194 type: object 2195 additionalProperties: 2196 type: string 2197 labels: 2198 description: Labels that should be added to the created ACME HTTP01 solver pods. 2199 type: object 2200 additionalProperties: 2201 type: string 2202 spec: 2203 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. All other fields will be ignored. 2204 type: object 2205 properties: 2206 affinity: 2207 description: If specified, the pod's scheduling constraints 2208 type: object 2209 properties: 2210 nodeAffinity: 2211 description: Describes node affinity scheduling rules for the pod. 2212 type: object 2213 properties: 2214 preferredDuringSchedulingIgnoredDuringExecution: 2215 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. 2216 type: array 2217 items: 2218 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). 2219 type: object 2220 required: 2221 - preference 2222 - weight 2223 properties: 2224 preference: 2225 description: A node selector term, associated with the corresponding weight. 2226 type: object 2227 properties: 2228 matchExpressions: 2229 description: A list of node selector requirements by node's labels. 2230 type: array 2231 items: 2232 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2233 type: object 2234 required: 2235 - key 2236 - operator 2237 properties: 2238 key: 2239 description: The label key that the selector applies to. 2240 type: string 2241 operator: 2242 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 2243 type: string 2244 values: 2245 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 2246 type: array 2247 items: 2248 type: string 2249 matchFields: 2250 description: A list of node selector requirements by node's fields. 2251 type: array 2252 items: 2253 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2254 type: object 2255 required: 2256 - key 2257 - operator 2258 properties: 2259 key: 2260 description: The label key that the selector applies to. 2261 type: string 2262 operator: 2263 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 2264 type: string 2265 values: 2266 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 2267 type: array 2268 items: 2269 type: string 2270 x-kubernetes-map-type: atomic 2271 weight: 2272 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. 2273 type: integer 2274 format: int32 2275 requiredDuringSchedulingIgnoredDuringExecution: 2276 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. 2277 type: object 2278 required: 2279 - nodeSelectorTerms 2280 properties: 2281 nodeSelectorTerms: 2282 description: Required. A list of node selector terms. The terms are ORed. 2283 type: array 2284 items: 2285 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. 2286 type: object 2287 properties: 2288 matchExpressions: 2289 description: A list of node selector requirements by node's labels. 2290 type: array 2291 items: 2292 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2293 type: object 2294 required: 2295 - key 2296 - operator 2297 properties: 2298 key: 2299 description: The label key that the selector applies to. 2300 type: string 2301 operator: 2302 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 2303 type: string 2304 values: 2305 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 2306 type: array 2307 items: 2308 type: string 2309 matchFields: 2310 description: A list of node selector requirements by node's fields. 2311 type: array 2312 items: 2313 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2314 type: object 2315 required: 2316 - key 2317 - operator 2318 properties: 2319 key: 2320 description: The label key that the selector applies to. 2321 type: string 2322 operator: 2323 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 2324 type: string 2325 values: 2326 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 2327 type: array 2328 items: 2329 type: string 2330 x-kubernetes-map-type: atomic 2331 x-kubernetes-map-type: atomic 2332 podAffinity: 2333 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). 2334 type: object 2335 properties: 2336 preferredDuringSchedulingIgnoredDuringExecution: 2337 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. 2338 type: array 2339 items: 2340 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 2341 type: object 2342 required: 2343 - podAffinityTerm 2344 - weight 2345 properties: 2346 podAffinityTerm: 2347 description: Required. A pod affinity term, associated with the corresponding weight. 2348 type: object 2349 required: 2350 - topologyKey 2351 properties: 2352 labelSelector: 2353 description: A label query over a set of resources, in this case pods. 2354 type: object 2355 properties: 2356 matchExpressions: 2357 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2358 type: array 2359 items: 2360 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2361 type: object 2362 required: 2363 - key 2364 - operator 2365 properties: 2366 key: 2367 description: key is the label key that the selector applies to. 2368 type: string 2369 operator: 2370 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 2371 type: string 2372 values: 2373 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 2374 type: array 2375 items: 2376 type: string 2377 matchLabels: 2378 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 2379 type: object 2380 additionalProperties: 2381 type: string 2382 x-kubernetes-map-type: atomic 2383 namespaceSelector: 2384 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. 2385 type: object 2386 properties: 2387 matchExpressions: 2388 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2389 type: array 2390 items: 2391 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2392 type: object 2393 required: 2394 - key 2395 - operator 2396 properties: 2397 key: 2398 description: key is the label key that the selector applies to. 2399 type: string 2400 operator: 2401 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 2402 type: string 2403 values: 2404 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 2405 type: array 2406 items: 2407 type: string 2408 matchLabels: 2409 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 2410 type: object 2411 additionalProperties: 2412 type: string 2413 x-kubernetes-map-type: atomic 2414 namespaces: 2415 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". 2416 type: array 2417 items: 2418 type: string 2419 topologyKey: 2420 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 2421 type: string 2422 weight: 2423 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. 2424 type: integer 2425 format: int32 2426 requiredDuringSchedulingIgnoredDuringExecution: 2427 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. 2428 type: array 2429 items: 2430 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running 2431 type: object 2432 required: 2433 - topologyKey 2434 properties: 2435 labelSelector: 2436 description: A label query over a set of resources, in this case pods. 2437 type: object 2438 properties: 2439 matchExpressions: 2440 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2441 type: array 2442 items: 2443 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2444 type: object 2445 required: 2446 - key 2447 - operator 2448 properties: 2449 key: 2450 description: key is the label key that the selector applies to. 2451 type: string 2452 operator: 2453 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 2454 type: string 2455 values: 2456 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 2457 type: array 2458 items: 2459 type: string 2460 matchLabels: 2461 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 2462 type: object 2463 additionalProperties: 2464 type: string 2465 x-kubernetes-map-type: atomic 2466 namespaceSelector: 2467 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. 2468 type: object 2469 properties: 2470 matchExpressions: 2471 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2472 type: array 2473 items: 2474 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2475 type: object 2476 required: 2477 - key 2478 - operator 2479 properties: 2480 key: 2481 description: key is the label key that the selector applies to. 2482 type: string 2483 operator: 2484 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 2485 type: string 2486 values: 2487 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 2488 type: array 2489 items: 2490 type: string 2491 matchLabels: 2492 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 2493 type: object 2494 additionalProperties: 2495 type: string 2496 x-kubernetes-map-type: atomic 2497 namespaces: 2498 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". 2499 type: array 2500 items: 2501 type: string 2502 topologyKey: 2503 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 2504 type: string 2505 podAntiAffinity: 2506 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). 2507 type: object 2508 properties: 2509 preferredDuringSchedulingIgnoredDuringExecution: 2510 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. 2511 type: array 2512 items: 2513 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 2514 type: object 2515 required: 2516 - podAffinityTerm 2517 - weight 2518 properties: 2519 podAffinityTerm: 2520 description: Required. A pod affinity term, associated with the corresponding weight. 2521 type: object 2522 required: 2523 - topologyKey 2524 properties: 2525 labelSelector: 2526 description: A label query over a set of resources, in this case pods. 2527 type: object 2528 properties: 2529 matchExpressions: 2530 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2531 type: array 2532 items: 2533 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2534 type: object 2535 required: 2536 - key 2537 - operator 2538 properties: 2539 key: 2540 description: key is the label key that the selector applies to. 2541 type: string 2542 operator: 2543 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 2544 type: string 2545 values: 2546 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 2547 type: array 2548 items: 2549 type: string 2550 matchLabels: 2551 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 2552 type: object 2553 additionalProperties: 2554 type: string 2555 x-kubernetes-map-type: atomic 2556 namespaceSelector: 2557 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. 2558 type: object 2559 properties: 2560 matchExpressions: 2561 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2562 type: array 2563 items: 2564 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2565 type: object 2566 required: 2567 - key 2568 - operator 2569 properties: 2570 key: 2571 description: key is the label key that the selector applies to. 2572 type: string 2573 operator: 2574 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 2575 type: string 2576 values: 2577 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 2578 type: array 2579 items: 2580 type: string 2581 matchLabels: 2582 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 2583 type: object 2584 additionalProperties: 2585 type: string 2586 x-kubernetes-map-type: atomic 2587 namespaces: 2588 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". 2589 type: array 2590 items: 2591 type: string 2592 topologyKey: 2593 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 2594 type: string 2595 weight: 2596 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. 2597 type: integer 2598 format: int32 2599 requiredDuringSchedulingIgnoredDuringExecution: 2600 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. 2601 type: array 2602 items: 2603 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running 2604 type: object 2605 required: 2606 - topologyKey 2607 properties: 2608 labelSelector: 2609 description: A label query over a set of resources, in this case pods. 2610 type: object 2611 properties: 2612 matchExpressions: 2613 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2614 type: array 2615 items: 2616 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2617 type: object 2618 required: 2619 - key 2620 - operator 2621 properties: 2622 key: 2623 description: key is the label key that the selector applies to. 2624 type: string 2625 operator: 2626 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 2627 type: string 2628 values: 2629 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 2630 type: array 2631 items: 2632 type: string 2633 matchLabels: 2634 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 2635 type: object 2636 additionalProperties: 2637 type: string 2638 x-kubernetes-map-type: atomic 2639 namespaceSelector: 2640 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. 2641 type: object 2642 properties: 2643 matchExpressions: 2644 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2645 type: array 2646 items: 2647 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2648 type: object 2649 required: 2650 - key 2651 - operator 2652 properties: 2653 key: 2654 description: key is the label key that the selector applies to. 2655 type: string 2656 operator: 2657 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 2658 type: string 2659 values: 2660 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 2661 type: array 2662 items: 2663 type: string 2664 matchLabels: 2665 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 2666 type: object 2667 additionalProperties: 2668 type: string 2669 x-kubernetes-map-type: atomic 2670 namespaces: 2671 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". 2672 type: array 2673 items: 2674 type: string 2675 topologyKey: 2676 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 2677 type: string 2678 imagePullSecrets: 2679 description: If specified, the pod's imagePullSecrets 2680 type: array 2681 items: 2682 description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. 2683 type: object 2684 properties: 2685 name: 2686 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' 2687 type: string 2688 x-kubernetes-map-type: atomic 2689 nodeSelector: 2690 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' 2691 type: object 2692 additionalProperties: 2693 type: string 2694 priorityClassName: 2695 description: If specified, the pod's priorityClassName. 2696 type: string 2697 serviceAccountName: 2698 description: If specified, the pod's service account 2699 type: string 2700 tolerations: 2701 description: If specified, the pod's tolerations. 2702 type: array 2703 items: 2704 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>. 2705 type: object 2706 properties: 2707 effect: 2708 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. 2709 type: string 2710 key: 2711 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. 2712 type: string 2713 operator: 2714 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. 2715 type: string 2716 tolerationSeconds: 2717 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. 2718 type: integer 2719 format: int64 2720 value: 2721 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. 2722 type: string 2723 serviceType: 2724 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. 2725 type: string 2726 selector: 2727 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. 2728 type: object 2729 properties: 2730 dnsNames: 2731 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. 2732 type: array 2733 items: 2734 type: string 2735 dnsZones: 2736 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. 2737 type: array 2738 items: 2739 type: string 2740 matchLabels: 2741 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. 2742 type: object 2743 additionalProperties: 2744 type: string 2745 ca: 2746 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager. 2747 type: object 2748 required: 2749 - secretName 2750 properties: 2751 crlDistributionPoints: 2752 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set. 2753 type: array 2754 items: 2755 type: string 2756 ocspServers: 2757 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". 2758 type: array 2759 items: 2760 type: string 2761 secretName: 2762 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer. 2763 type: string 2764 selfSigned: 2765 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object. 2766 type: object 2767 properties: 2768 crlDistributionPoints: 2769 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings. 2770 type: array 2771 items: 2772 type: string 2773 vault: 2774 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend. 2775 type: object 2776 required: 2777 - auth 2778 - path 2779 - server 2780 properties: 2781 auth: 2782 description: Auth configures how cert-manager authenticates with the Vault server. 2783 type: object 2784 properties: 2785 appRole: 2786 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. 2787 type: object 2788 required: 2789 - path 2790 - roleId 2791 - secretRef 2792 properties: 2793 path: 2794 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' 2795 type: string 2796 roleId: 2797 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. 2798 type: string 2799 secretRef: 2800 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. 2801 type: object 2802 required: 2803 - name 2804 properties: 2805 key: 2806 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 2807 type: string 2808 name: 2809 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 2810 type: string 2811 kubernetes: 2812 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. 2813 type: object 2814 required: 2815 - role 2816 properties: 2817 mountPath: 2818 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used. 2819 type: string 2820 role: 2821 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. 2822 type: string 2823 secretRef: 2824 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported. 2825 type: object 2826 required: 2827 - name 2828 properties: 2829 key: 2830 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 2831 type: string 2832 name: 2833 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 2834 type: string 2835 serviceAccountRef: 2836 description: A reference to a service account that will be used to request a bound token (also known as "projected token"). Compared to using "secretRef", using this field means that you don't rely on statically bound tokens. To use this field, you must configure an RBAC rule to let cert-manager request a token. 2837 type: object 2838 required: 2839 - name 2840 properties: 2841 name: 2842 description: Name of the ServiceAccount used to request a token. 2843 type: string 2844 tokenSecretRef: 2845 description: TokenSecretRef authenticates with Vault by presenting a token. 2846 type: object 2847 required: 2848 - name 2849 properties: 2850 key: 2851 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 2852 type: string 2853 name: 2854 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 2855 type: string 2856 caBundle: 2857 description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by Vault. Only used if using HTTPS to connect to Vault and ignored for HTTP connections. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. 2858 type: string 2859 format: byte 2860 caBundleSecretRef: 2861 description: Reference to a Secret containing a bundle of PEM-encoded CAs to use when verifying the certificate chain presented by Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to 'ca.crt'. 2862 type: object 2863 required: 2864 - name 2865 properties: 2866 key: 2867 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 2868 type: string 2869 name: 2870 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 2871 type: string 2872 namespace: 2873 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' 2874 type: string 2875 path: 2876 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' 2877 type: string 2878 server: 2879 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' 2880 type: string 2881 venafi: 2882 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone. 2883 type: object 2884 required: 2885 - zone 2886 properties: 2887 cloud: 2888 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified. 2889 type: object 2890 required: 2891 - apiTokenSecretRef 2892 properties: 2893 apiTokenSecretRef: 2894 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. 2895 type: object 2896 required: 2897 - name 2898 properties: 2899 key: 2900 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 2901 type: string 2902 name: 2903 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 2904 type: string 2905 url: 2906 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1". 2907 type: string 2908 tpp: 2909 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified. 2910 type: object 2911 required: 2912 - credentialsRef 2913 - url 2914 properties: 2915 caBundle: 2916 description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. If undefined, the certificate bundle in the cert-manager controller container is used to validate the chain. 2917 type: string 2918 format: byte 2919 credentialsRef: 2920 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'. 2921 type: object 2922 required: 2923 - name 2924 properties: 2925 name: 2926 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 2927 type: string 2928 url: 2929 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' 2930 type: string 2931 zone: 2932 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required. 2933 type: string 2934 status: 2935 description: Status of the ClusterIssuer. This is set and managed automatically. 2936 type: object 2937 properties: 2938 acme: 2939 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates. 2940 type: object 2941 properties: 2942 lastPrivateKeyHash: 2943 description: LastPrivateKeyHash is a hash of the private key associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer 2944 type: string 2945 lastRegisteredEmail: 2946 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer 2947 type: string 2948 uri: 2949 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA 2950 type: string 2951 conditions: 2952 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`. 2953 type: array 2954 items: 2955 description: IssuerCondition contains condition information for an Issuer. 2956 type: object 2957 required: 2958 - status 2959 - type 2960 properties: 2961 lastTransitionTime: 2962 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. 2963 type: string 2964 format: date-time 2965 message: 2966 description: Message is a human readable description of the details of the last transition, complementing reason. 2967 type: string 2968 observedGeneration: 2969 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer. 2970 type: integer 2971 format: int64 2972 reason: 2973 description: Reason is a brief machine readable explanation for the condition's last transition. 2974 type: string 2975 status: 2976 description: Status of the condition, one of (`True`, `False`, `Unknown`). 2977 type: string 2978 enum: 2979 - "True" 2980 - "False" 2981 - Unknown 2982 type: 2983 description: Type of the condition, known values are (`Ready`). 2984 type: string 2985 x-kubernetes-list-map-keys: 2986 - type 2987 x-kubernetes-list-type: map 2988 served: true 2989 storage: true 2990 --- 2991 # Source: cert-manager/templates/crds.yaml 2992 apiVersion: apiextensions.k8s.io/v1 2993 kind: CustomResourceDefinition 2994 metadata: 2995 name: issuers.cert-manager.io 2996 labels: 2997 app: 'cert-manager' 2998 app.kubernetes.io/name: 'cert-manager' 2999 app.kubernetes.io/instance: "cert-manager" 3000 # Generated labels 3001 app.kubernetes.io/version: "v1.12.3" 3002 spec: 3003 group: cert-manager.io 3004 names: 3005 kind: Issuer 3006 listKind: IssuerList 3007 plural: issuers 3008 singular: issuer 3009 categories: 3010 - cert-manager 3011 scope: Namespaced 3012 versions: 3013 - name: v1 3014 subresources: 3015 status: {} 3016 additionalPrinterColumns: 3017 - jsonPath: .status.conditions[?(@.type=="Ready")].status 3018 name: Ready 3019 type: string 3020 - jsonPath: .status.conditions[?(@.type=="Ready")].message 3021 name: Status 3022 priority: 1 3023 type: string 3024 - jsonPath: .metadata.creationTimestamp 3025 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 3026 name: Age 3027 type: date 3028 schema: 3029 openAPIV3Schema: 3030 description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace. 3031 type: object 3032 required: 3033 - spec 3034 properties: 3035 apiVersion: 3036 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 3037 type: string 3038 kind: 3039 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 3040 type: string 3041 metadata: 3042 type: object 3043 spec: 3044 description: Desired state of the Issuer resource. 3045 type: object 3046 properties: 3047 acme: 3048 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates. 3049 type: object 3050 required: 3051 - privateKeySecretRef 3052 - server 3053 properties: 3054 caBundle: 3055 description: Base64-encoded bundle of PEM CAs which can be used to validate the certificate chain presented by the ACME server. Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various kinds of security vulnerabilities. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. 3056 type: string 3057 format: byte 3058 disableAccountKeyGeneration: 3059 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false. 3060 type: boolean 3061 email: 3062 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. 3063 type: string 3064 enableDurationFeature: 3065 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. 3066 type: boolean 3067 externalAccountBinding: 3068 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. 3069 type: object 3070 required: 3071 - keyID 3072 - keySecretRef 3073 properties: 3074 keyAlgorithm: 3075 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.' 3076 type: string 3077 enum: 3078 - HS256 3079 - HS384 3080 - HS512 3081 keyID: 3082 description: keyID is the ID of the CA key that the External Account is bound to. 3083 type: string 3084 keySecretRef: 3085 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data. 3086 type: object 3087 required: 3088 - name 3089 properties: 3090 key: 3091 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3092 type: string 3093 name: 3094 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3095 type: string 3096 preferredChain: 3097 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN' 3098 type: string 3099 maxLength: 64 3100 privateKeySecretRef: 3101 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used. 3102 type: object 3103 required: 3104 - name 3105 properties: 3106 key: 3107 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3108 type: string 3109 name: 3110 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3111 type: string 3112 server: 3113 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' 3114 type: string 3115 skipTLSVerify: 3116 description: 'INSECURE: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have the TLS certificate chain validated. Mutually exclusive with CABundle; prefer using CABundle to prevent various kinds of security vulnerabilities. Only enable this option in development environments. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. Defaults to false.' 3117 type: boolean 3118 solvers: 3119 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' 3120 type: array 3121 items: 3122 description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided. 3123 type: object 3124 properties: 3125 dns01: 3126 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. 3127 type: object 3128 properties: 3129 acmeDNS: 3130 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. 3131 type: object 3132 required: 3133 - accountSecretRef 3134 - host 3135 properties: 3136 accountSecretRef: 3137 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 3138 type: object 3139 required: 3140 - name 3141 properties: 3142 key: 3143 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3144 type: string 3145 name: 3146 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3147 type: string 3148 host: 3149 type: string 3150 akamai: 3151 description: Use the Akamai DNS zone management API to manage DNS01 challenge records. 3152 type: object 3153 required: 3154 - accessTokenSecretRef 3155 - clientSecretSecretRef 3156 - clientTokenSecretRef 3157 - serviceConsumerDomain 3158 properties: 3159 accessTokenSecretRef: 3160 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 3161 type: object 3162 required: 3163 - name 3164 properties: 3165 key: 3166 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3167 type: string 3168 name: 3169 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3170 type: string 3171 clientSecretSecretRef: 3172 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 3173 type: object 3174 required: 3175 - name 3176 properties: 3177 key: 3178 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3179 type: string 3180 name: 3181 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3182 type: string 3183 clientTokenSecretRef: 3184 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 3185 type: object 3186 required: 3187 - name 3188 properties: 3189 key: 3190 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3191 type: string 3192 name: 3193 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3194 type: string 3195 serviceConsumerDomain: 3196 type: string 3197 azureDNS: 3198 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. 3199 type: object 3200 required: 3201 - resourceGroupName 3202 - subscriptionID 3203 properties: 3204 clientID: 3205 description: if both this and ClientSecret are left unset MSI will be used 3206 type: string 3207 clientSecretSecretRef: 3208 description: if both this and ClientID are left unset MSI will be used 3209 type: object 3210 required: 3211 - name 3212 properties: 3213 key: 3214 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3215 type: string 3216 name: 3217 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3218 type: string 3219 environment: 3220 description: name of the Azure environment (default AzurePublicCloud) 3221 type: string 3222 enum: 3223 - AzurePublicCloud 3224 - AzureChinaCloud 3225 - AzureGermanCloud 3226 - AzureUSGovernmentCloud 3227 hostedZoneName: 3228 description: name of the DNS zone that should be used 3229 type: string 3230 managedIdentity: 3231 description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID 3232 type: object 3233 properties: 3234 clientID: 3235 description: client ID of the managed identity, can not be used at the same time as resourceID 3236 type: string 3237 resourceID: 3238 description: resource ID of the managed identity, can not be used at the same time as clientID 3239 type: string 3240 resourceGroupName: 3241 description: resource group the DNS zone is located in 3242 type: string 3243 subscriptionID: 3244 description: ID of the Azure subscription 3245 type: string 3246 tenantID: 3247 description: when specifying ClientID and ClientSecret then this field is also needed 3248 type: string 3249 cloudDNS: 3250 description: Use the Google Cloud DNS API to manage DNS01 challenge records. 3251 type: object 3252 required: 3253 - project 3254 properties: 3255 hostedZoneName: 3256 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. 3257 type: string 3258 project: 3259 type: string 3260 serviceAccountSecretRef: 3261 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 3262 type: object 3263 required: 3264 - name 3265 properties: 3266 key: 3267 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3268 type: string 3269 name: 3270 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3271 type: string 3272 cloudflare: 3273 description: Use the Cloudflare API to manage DNS01 challenge records. 3274 type: object 3275 properties: 3276 apiKeySecretRef: 3277 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' 3278 type: object 3279 required: 3280 - name 3281 properties: 3282 key: 3283 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3284 type: string 3285 name: 3286 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3287 type: string 3288 apiTokenSecretRef: 3289 description: API token used to authenticate with Cloudflare. 3290 type: object 3291 required: 3292 - name 3293 properties: 3294 key: 3295 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3296 type: string 3297 name: 3298 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3299 type: string 3300 email: 3301 description: Email of the account, only required when using API key based authentication. 3302 type: string 3303 cnameStrategy: 3304 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. 3305 type: string 3306 enum: 3307 - None 3308 - Follow 3309 digitalocean: 3310 description: Use the DigitalOcean DNS API to manage DNS01 challenge records. 3311 type: object 3312 required: 3313 - tokenSecretRef 3314 properties: 3315 tokenSecretRef: 3316 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 3317 type: object 3318 required: 3319 - name 3320 properties: 3321 key: 3322 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3323 type: string 3324 name: 3325 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3326 type: string 3327 rfc2136: 3328 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. 3329 type: object 3330 required: 3331 - nameserver 3332 properties: 3333 nameserver: 3334 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required. 3335 type: string 3336 tsigAlgorithm: 3337 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' 3338 type: string 3339 tsigKeyName: 3340 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. 3341 type: string 3342 tsigSecretSecretRef: 3343 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. 3344 type: object 3345 required: 3346 - name 3347 properties: 3348 key: 3349 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3350 type: string 3351 name: 3352 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3353 type: string 3354 route53: 3355 description: Use the AWS Route53 API to manage DNS01 challenge records. 3356 type: object 3357 required: 3358 - region 3359 properties: 3360 accessKeyID: 3361 description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' 3362 type: string 3363 accessKeyIDSecretRef: 3364 description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' 3365 type: object 3366 required: 3367 - name 3368 properties: 3369 key: 3370 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3371 type: string 3372 name: 3373 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3374 type: string 3375 hostedZoneID: 3376 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. 3377 type: string 3378 region: 3379 description: Always set the region when using AccessKeyID and SecretAccessKey 3380 type: string 3381 role: 3382 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata 3383 type: string 3384 secretAccessKeySecretRef: 3385 description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' 3386 type: object 3387 required: 3388 - name 3389 properties: 3390 key: 3391 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3392 type: string 3393 name: 3394 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3395 type: string 3396 webhook: 3397 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. 3398 type: object 3399 required: 3400 - groupName 3401 - solverName 3402 properties: 3403 config: 3404 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. 3405 x-kubernetes-preserve-unknown-fields: true 3406 groupName: 3407 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. 3408 type: string 3409 solverName: 3410 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. 3411 type: string 3412 http01: 3413 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. 3414 type: object 3415 properties: 3416 gatewayHTTPRoute: 3417 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. 3418 type: object 3419 properties: 3420 labels: 3421 description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges. 3422 type: object 3423 additionalProperties: 3424 type: string 3425 parentRefs: 3426 description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways' 3427 type: array 3428 items: 3429 description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." 3430 type: object 3431 required: 3432 - name 3433 properties: 3434 group: 3435 description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" 3436 type: string 3437 default: gateway.networking.k8s.io 3438 maxLength: 253 3439 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 3440 kind: 3441 description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" 3442 type: string 3443 default: Gateway 3444 maxLength: 63 3445 minLength: 1 3446 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 3447 name: 3448 description: "Name is the name of the referent. \n Support: Core" 3449 type: string 3450 maxLength: 253 3451 minLength: 1 3452 namespace: 3453 description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" 3454 type: string 3455 maxLength: 63 3456 minLength: 1 3457 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 3458 port: 3459 description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n <gateway:experimental>" 3460 type: integer 3461 format: int32 3462 maximum: 65535 3463 minimum: 1 3464 sectionName: 3465 description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" 3466 type: string 3467 maxLength: 253 3468 minLength: 1 3469 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 3470 serviceType: 3471 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. 3472 type: string 3473 ingress: 3474 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. 3475 type: object 3476 properties: 3477 class: 3478 description: This field configures the annotation `kubernetes.io/ingress.class` when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of `class`, `name` or `ingressClassName` may be specified. 3479 type: string 3480 ingressClassName: 3481 description: This field configures the field `ingressClassName` on the created Ingress resources used to solve ACME challenges that use this challenge solver. This is the recommended way of configuring the ingress class. Only one of `class`, `name` or `ingressClassName` may be specified. 3482 type: string 3483 ingressTemplate: 3484 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. 3485 type: object 3486 properties: 3487 metadata: 3488 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. 3489 type: object 3490 properties: 3491 annotations: 3492 description: Annotations that should be added to the created ACME HTTP01 solver ingress. 3493 type: object 3494 additionalProperties: 3495 type: string 3496 labels: 3497 description: Labels that should be added to the created ACME HTTP01 solver ingress. 3498 type: object 3499 additionalProperties: 3500 type: string 3501 name: 3502 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. Only one of `class`, `name` or `ingressClassName` may be specified. 3503 type: string 3504 podTemplate: 3505 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. 3506 type: object 3507 properties: 3508 metadata: 3509 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. 3510 type: object 3511 properties: 3512 annotations: 3513 description: Annotations that should be added to the create ACME HTTP01 solver pods. 3514 type: object 3515 additionalProperties: 3516 type: string 3517 labels: 3518 description: Labels that should be added to the created ACME HTTP01 solver pods. 3519 type: object 3520 additionalProperties: 3521 type: string 3522 spec: 3523 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. All other fields will be ignored. 3524 type: object 3525 properties: 3526 affinity: 3527 description: If specified, the pod's scheduling constraints 3528 type: object 3529 properties: 3530 nodeAffinity: 3531 description: Describes node affinity scheduling rules for the pod. 3532 type: object 3533 properties: 3534 preferredDuringSchedulingIgnoredDuringExecution: 3535 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. 3536 type: array 3537 items: 3538 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). 3539 type: object 3540 required: 3541 - preference 3542 - weight 3543 properties: 3544 preference: 3545 description: A node selector term, associated with the corresponding weight. 3546 type: object 3547 properties: 3548 matchExpressions: 3549 description: A list of node selector requirements by node's labels. 3550 type: array 3551 items: 3552 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3553 type: object 3554 required: 3555 - key 3556 - operator 3557 properties: 3558 key: 3559 description: The label key that the selector applies to. 3560 type: string 3561 operator: 3562 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 3563 type: string 3564 values: 3565 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 3566 type: array 3567 items: 3568 type: string 3569 matchFields: 3570 description: A list of node selector requirements by node's fields. 3571 type: array 3572 items: 3573 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3574 type: object 3575 required: 3576 - key 3577 - operator 3578 properties: 3579 key: 3580 description: The label key that the selector applies to. 3581 type: string 3582 operator: 3583 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 3584 type: string 3585 values: 3586 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 3587 type: array 3588 items: 3589 type: string 3590 x-kubernetes-map-type: atomic 3591 weight: 3592 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. 3593 type: integer 3594 format: int32 3595 requiredDuringSchedulingIgnoredDuringExecution: 3596 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. 3597 type: object 3598 required: 3599 - nodeSelectorTerms 3600 properties: 3601 nodeSelectorTerms: 3602 description: Required. A list of node selector terms. The terms are ORed. 3603 type: array 3604 items: 3605 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. 3606 type: object 3607 properties: 3608 matchExpressions: 3609 description: A list of node selector requirements by node's labels. 3610 type: array 3611 items: 3612 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3613 type: object 3614 required: 3615 - key 3616 - operator 3617 properties: 3618 key: 3619 description: The label key that the selector applies to. 3620 type: string 3621 operator: 3622 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 3623 type: string 3624 values: 3625 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 3626 type: array 3627 items: 3628 type: string 3629 matchFields: 3630 description: A list of node selector requirements by node's fields. 3631 type: array 3632 items: 3633 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3634 type: object 3635 required: 3636 - key 3637 - operator 3638 properties: 3639 key: 3640 description: The label key that the selector applies to. 3641 type: string 3642 operator: 3643 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 3644 type: string 3645 values: 3646 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 3647 type: array 3648 items: 3649 type: string 3650 x-kubernetes-map-type: atomic 3651 x-kubernetes-map-type: atomic 3652 podAffinity: 3653 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). 3654 type: object 3655 properties: 3656 preferredDuringSchedulingIgnoredDuringExecution: 3657 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. 3658 type: array 3659 items: 3660 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 3661 type: object 3662 required: 3663 - podAffinityTerm 3664 - weight 3665 properties: 3666 podAffinityTerm: 3667 description: Required. A pod affinity term, associated with the corresponding weight. 3668 type: object 3669 required: 3670 - topologyKey 3671 properties: 3672 labelSelector: 3673 description: A label query over a set of resources, in this case pods. 3674 type: object 3675 properties: 3676 matchExpressions: 3677 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3678 type: array 3679 items: 3680 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3681 type: object 3682 required: 3683 - key 3684 - operator 3685 properties: 3686 key: 3687 description: key is the label key that the selector applies to. 3688 type: string 3689 operator: 3690 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 3691 type: string 3692 values: 3693 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 3694 type: array 3695 items: 3696 type: string 3697 matchLabels: 3698 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 3699 type: object 3700 additionalProperties: 3701 type: string 3702 x-kubernetes-map-type: atomic 3703 namespaceSelector: 3704 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. 3705 type: object 3706 properties: 3707 matchExpressions: 3708 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3709 type: array 3710 items: 3711 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3712 type: object 3713 required: 3714 - key 3715 - operator 3716 properties: 3717 key: 3718 description: key is the label key that the selector applies to. 3719 type: string 3720 operator: 3721 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 3722 type: string 3723 values: 3724 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 3725 type: array 3726 items: 3727 type: string 3728 matchLabels: 3729 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 3730 type: object 3731 additionalProperties: 3732 type: string 3733 x-kubernetes-map-type: atomic 3734 namespaces: 3735 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". 3736 type: array 3737 items: 3738 type: string 3739 topologyKey: 3740 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 3741 type: string 3742 weight: 3743 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. 3744 type: integer 3745 format: int32 3746 requiredDuringSchedulingIgnoredDuringExecution: 3747 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. 3748 type: array 3749 items: 3750 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running 3751 type: object 3752 required: 3753 - topologyKey 3754 properties: 3755 labelSelector: 3756 description: A label query over a set of resources, in this case pods. 3757 type: object 3758 properties: 3759 matchExpressions: 3760 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3761 type: array 3762 items: 3763 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3764 type: object 3765 required: 3766 - key 3767 - operator 3768 properties: 3769 key: 3770 description: key is the label key that the selector applies to. 3771 type: string 3772 operator: 3773 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 3774 type: string 3775 values: 3776 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 3777 type: array 3778 items: 3779 type: string 3780 matchLabels: 3781 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 3782 type: object 3783 additionalProperties: 3784 type: string 3785 x-kubernetes-map-type: atomic 3786 namespaceSelector: 3787 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. 3788 type: object 3789 properties: 3790 matchExpressions: 3791 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3792 type: array 3793 items: 3794 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3795 type: object 3796 required: 3797 - key 3798 - operator 3799 properties: 3800 key: 3801 description: key is the label key that the selector applies to. 3802 type: string 3803 operator: 3804 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 3805 type: string 3806 values: 3807 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 3808 type: array 3809 items: 3810 type: string 3811 matchLabels: 3812 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 3813 type: object 3814 additionalProperties: 3815 type: string 3816 x-kubernetes-map-type: atomic 3817 namespaces: 3818 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". 3819 type: array 3820 items: 3821 type: string 3822 topologyKey: 3823 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 3824 type: string 3825 podAntiAffinity: 3826 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). 3827 type: object 3828 properties: 3829 preferredDuringSchedulingIgnoredDuringExecution: 3830 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. 3831 type: array 3832 items: 3833 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 3834 type: object 3835 required: 3836 - podAffinityTerm 3837 - weight 3838 properties: 3839 podAffinityTerm: 3840 description: Required. A pod affinity term, associated with the corresponding weight. 3841 type: object 3842 required: 3843 - topologyKey 3844 properties: 3845 labelSelector: 3846 description: A label query over a set of resources, in this case pods. 3847 type: object 3848 properties: 3849 matchExpressions: 3850 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3851 type: array 3852 items: 3853 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3854 type: object 3855 required: 3856 - key 3857 - operator 3858 properties: 3859 key: 3860 description: key is the label key that the selector applies to. 3861 type: string 3862 operator: 3863 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 3864 type: string 3865 values: 3866 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 3867 type: array 3868 items: 3869 type: string 3870 matchLabels: 3871 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 3872 type: object 3873 additionalProperties: 3874 type: string 3875 x-kubernetes-map-type: atomic 3876 namespaceSelector: 3877 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. 3878 type: object 3879 properties: 3880 matchExpressions: 3881 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3882 type: array 3883 items: 3884 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3885 type: object 3886 required: 3887 - key 3888 - operator 3889 properties: 3890 key: 3891 description: key is the label key that the selector applies to. 3892 type: string 3893 operator: 3894 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 3895 type: string 3896 values: 3897 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 3898 type: array 3899 items: 3900 type: string 3901 matchLabels: 3902 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 3903 type: object 3904 additionalProperties: 3905 type: string 3906 x-kubernetes-map-type: atomic 3907 namespaces: 3908 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". 3909 type: array 3910 items: 3911 type: string 3912 topologyKey: 3913 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 3914 type: string 3915 weight: 3916 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. 3917 type: integer 3918 format: int32 3919 requiredDuringSchedulingIgnoredDuringExecution: 3920 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. 3921 type: array 3922 items: 3923 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running 3924 type: object 3925 required: 3926 - topologyKey 3927 properties: 3928 labelSelector: 3929 description: A label query over a set of resources, in this case pods. 3930 type: object 3931 properties: 3932 matchExpressions: 3933 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3934 type: array 3935 items: 3936 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3937 type: object 3938 required: 3939 - key 3940 - operator 3941 properties: 3942 key: 3943 description: key is the label key that the selector applies to. 3944 type: string 3945 operator: 3946 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 3947 type: string 3948 values: 3949 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 3950 type: array 3951 items: 3952 type: string 3953 matchLabels: 3954 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 3955 type: object 3956 additionalProperties: 3957 type: string 3958 x-kubernetes-map-type: atomic 3959 namespaceSelector: 3960 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. 3961 type: object 3962 properties: 3963 matchExpressions: 3964 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3965 type: array 3966 items: 3967 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3968 type: object 3969 required: 3970 - key 3971 - operator 3972 properties: 3973 key: 3974 description: key is the label key that the selector applies to. 3975 type: string 3976 operator: 3977 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 3978 type: string 3979 values: 3980 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 3981 type: array 3982 items: 3983 type: string 3984 matchLabels: 3985 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 3986 type: object 3987 additionalProperties: 3988 type: string 3989 x-kubernetes-map-type: atomic 3990 namespaces: 3991 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". 3992 type: array 3993 items: 3994 type: string 3995 topologyKey: 3996 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 3997 type: string 3998 imagePullSecrets: 3999 description: If specified, the pod's imagePullSecrets 4000 type: array 4001 items: 4002 description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. 4003 type: object 4004 properties: 4005 name: 4006 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' 4007 type: string 4008 x-kubernetes-map-type: atomic 4009 nodeSelector: 4010 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' 4011 type: object 4012 additionalProperties: 4013 type: string 4014 priorityClassName: 4015 description: If specified, the pod's priorityClassName. 4016 type: string 4017 serviceAccountName: 4018 description: If specified, the pod's service account 4019 type: string 4020 tolerations: 4021 description: If specified, the pod's tolerations. 4022 type: array 4023 items: 4024 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>. 4025 type: object 4026 properties: 4027 effect: 4028 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. 4029 type: string 4030 key: 4031 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. 4032 type: string 4033 operator: 4034 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. 4035 type: string 4036 tolerationSeconds: 4037 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. 4038 type: integer 4039 format: int64 4040 value: 4041 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. 4042 type: string 4043 serviceType: 4044 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. 4045 type: string 4046 selector: 4047 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. 4048 type: object 4049 properties: 4050 dnsNames: 4051 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. 4052 type: array 4053 items: 4054 type: string 4055 dnsZones: 4056 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. 4057 type: array 4058 items: 4059 type: string 4060 matchLabels: 4061 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. 4062 type: object 4063 additionalProperties: 4064 type: string 4065 ca: 4066 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager. 4067 type: object 4068 required: 4069 - secretName 4070 properties: 4071 crlDistributionPoints: 4072 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set. 4073 type: array 4074 items: 4075 type: string 4076 ocspServers: 4077 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". 4078 type: array 4079 items: 4080 type: string 4081 secretName: 4082 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer. 4083 type: string 4084 selfSigned: 4085 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object. 4086 type: object 4087 properties: 4088 crlDistributionPoints: 4089 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings. 4090 type: array 4091 items: 4092 type: string 4093 vault: 4094 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend. 4095 type: object 4096 required: 4097 - auth 4098 - path 4099 - server 4100 properties: 4101 auth: 4102 description: Auth configures how cert-manager authenticates with the Vault server. 4103 type: object 4104 properties: 4105 appRole: 4106 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. 4107 type: object 4108 required: 4109 - path 4110 - roleId 4111 - secretRef 4112 properties: 4113 path: 4114 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' 4115 type: string 4116 roleId: 4117 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. 4118 type: string 4119 secretRef: 4120 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. 4121 type: object 4122 required: 4123 - name 4124 properties: 4125 key: 4126 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 4127 type: string 4128 name: 4129 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 4130 type: string 4131 kubernetes: 4132 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. 4133 type: object 4134 required: 4135 - role 4136 properties: 4137 mountPath: 4138 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used. 4139 type: string 4140 role: 4141 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. 4142 type: string 4143 secretRef: 4144 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported. 4145 type: object 4146 required: 4147 - name 4148 properties: 4149 key: 4150 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 4151 type: string 4152 name: 4153 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 4154 type: string 4155 serviceAccountRef: 4156 description: A reference to a service account that will be used to request a bound token (also known as "projected token"). Compared to using "secretRef", using this field means that you don't rely on statically bound tokens. To use this field, you must configure an RBAC rule to let cert-manager request a token. 4157 type: object 4158 required: 4159 - name 4160 properties: 4161 name: 4162 description: Name of the ServiceAccount used to request a token. 4163 type: string 4164 tokenSecretRef: 4165 description: TokenSecretRef authenticates with Vault by presenting a token. 4166 type: object 4167 required: 4168 - name 4169 properties: 4170 key: 4171 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 4172 type: string 4173 name: 4174 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 4175 type: string 4176 caBundle: 4177 description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by Vault. Only used if using HTTPS to connect to Vault and ignored for HTTP connections. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. 4178 type: string 4179 format: byte 4180 caBundleSecretRef: 4181 description: Reference to a Secret containing a bundle of PEM-encoded CAs to use when verifying the certificate chain presented by Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to 'ca.crt'. 4182 type: object 4183 required: 4184 - name 4185 properties: 4186 key: 4187 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 4188 type: string 4189 name: 4190 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 4191 type: string 4192 namespace: 4193 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' 4194 type: string 4195 path: 4196 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' 4197 type: string 4198 server: 4199 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' 4200 type: string 4201 venafi: 4202 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone. 4203 type: object 4204 required: 4205 - zone 4206 properties: 4207 cloud: 4208 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified. 4209 type: object 4210 required: 4211 - apiTokenSecretRef 4212 properties: 4213 apiTokenSecretRef: 4214 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. 4215 type: object 4216 required: 4217 - name 4218 properties: 4219 key: 4220 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 4221 type: string 4222 name: 4223 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 4224 type: string 4225 url: 4226 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1". 4227 type: string 4228 tpp: 4229 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified. 4230 type: object 4231 required: 4232 - credentialsRef 4233 - url 4234 properties: 4235 caBundle: 4236 description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. If undefined, the certificate bundle in the cert-manager controller container is used to validate the chain. 4237 type: string 4238 format: byte 4239 credentialsRef: 4240 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'. 4241 type: object 4242 required: 4243 - name 4244 properties: 4245 name: 4246 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 4247 type: string 4248 url: 4249 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' 4250 type: string 4251 zone: 4252 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required. 4253 type: string 4254 status: 4255 description: Status of the Issuer. This is set and managed automatically. 4256 type: object 4257 properties: 4258 acme: 4259 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates. 4260 type: object 4261 properties: 4262 lastPrivateKeyHash: 4263 description: LastPrivateKeyHash is a hash of the private key associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer 4264 type: string 4265 lastRegisteredEmail: 4266 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer 4267 type: string 4268 uri: 4269 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA 4270 type: string 4271 conditions: 4272 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`. 4273 type: array 4274 items: 4275 description: IssuerCondition contains condition information for an Issuer. 4276 type: object 4277 required: 4278 - status 4279 - type 4280 properties: 4281 lastTransitionTime: 4282 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. 4283 type: string 4284 format: date-time 4285 message: 4286 description: Message is a human readable description of the details of the last transition, complementing reason. 4287 type: string 4288 observedGeneration: 4289 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer. 4290 type: integer 4291 format: int64 4292 reason: 4293 description: Reason is a brief machine readable explanation for the condition's last transition. 4294 type: string 4295 status: 4296 description: Status of the condition, one of (`True`, `False`, `Unknown`). 4297 type: string 4298 enum: 4299 - "True" 4300 - "False" 4301 - Unknown 4302 type: 4303 description: Type of the condition, known values are (`Ready`). 4304 type: string 4305 x-kubernetes-list-map-keys: 4306 - type 4307 x-kubernetes-list-type: map 4308 served: true 4309 storage: true 4310 --- 4311 # Source: cert-manager/templates/crds.yaml 4312 apiVersion: apiextensions.k8s.io/v1 4313 kind: CustomResourceDefinition 4314 metadata: 4315 name: orders.acme.cert-manager.io 4316 labels: 4317 app: 'cert-manager' 4318 app.kubernetes.io/name: 'cert-manager' 4319 app.kubernetes.io/instance: 'cert-manager' 4320 # Generated labels 4321 app.kubernetes.io/version: "v1.12.3" 4322 spec: 4323 group: acme.cert-manager.io 4324 names: 4325 kind: Order 4326 listKind: OrderList 4327 plural: orders 4328 singular: order 4329 categories: 4330 - cert-manager 4331 - cert-manager-acme 4332 scope: Namespaced 4333 versions: 4334 - name: v1 4335 subresources: 4336 status: {} 4337 additionalPrinterColumns: 4338 - jsonPath: .status.state 4339 name: State 4340 type: string 4341 - jsonPath: .spec.issuerRef.name 4342 name: Issuer 4343 priority: 1 4344 type: string 4345 - jsonPath: .status.reason 4346 name: Reason 4347 priority: 1 4348 type: string 4349 - jsonPath: .metadata.creationTimestamp 4350 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 4351 name: Age 4352 type: date 4353 schema: 4354 openAPIV3Schema: 4355 description: Order is a type to represent an Order with an ACME server 4356 type: object 4357 required: 4358 - metadata 4359 - spec 4360 properties: 4361 apiVersion: 4362 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 4363 type: string 4364 kind: 4365 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 4366 type: string 4367 metadata: 4368 type: object 4369 spec: 4370 type: object 4371 required: 4372 - issuerRef 4373 - request 4374 properties: 4375 commonName: 4376 description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR. 4377 type: string 4378 dnsNames: 4379 description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR. 4380 type: array 4381 items: 4382 type: string 4383 duration: 4384 description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec. 4385 type: string 4386 ipAddresses: 4387 description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR. 4388 type: array 4389 items: 4390 type: string 4391 issuerRef: 4392 description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed. 4393 type: object 4394 required: 4395 - name 4396 properties: 4397 group: 4398 description: Group of the resource being referred to. 4399 type: string 4400 kind: 4401 description: Kind of the resource being referred to. 4402 type: string 4403 name: 4404 description: Name of the resource being referred to. 4405 type: string 4406 request: 4407 description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order. 4408 type: string 4409 format: byte 4410 status: 4411 type: object 4412 properties: 4413 authorizations: 4414 description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order. 4415 type: array 4416 items: 4417 description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource. 4418 type: object 4419 required: 4420 - url 4421 properties: 4422 challenges: 4423 description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process. 4424 type: array 4425 items: 4426 description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process. 4427 type: object 4428 required: 4429 - token 4430 - type 4431 - url 4432 properties: 4433 token: 4434 description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented. 4435 type: string 4436 type: 4437 description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored. 4438 type: string 4439 url: 4440 description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server. 4441 type: string 4442 identifier: 4443 description: Identifier is the DNS name to be validated as part of this authorization 4444 type: string 4445 initialState: 4446 description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created. 4447 type: string 4448 enum: 4449 - valid 4450 - ready 4451 - pending 4452 - processing 4453 - invalid 4454 - expired 4455 - errored 4456 url: 4457 description: URL is the URL of the Authorization that must be completed 4458 type: string 4459 wildcard: 4460 description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'. 4461 type: boolean 4462 certificate: 4463 description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state. 4464 type: string 4465 format: byte 4466 failureTime: 4467 description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off. 4468 type: string 4469 format: date-time 4470 finalizeURL: 4471 description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed. 4472 type: string 4473 reason: 4474 description: Reason optionally provides more information about a why the order is in the current state. 4475 type: string 4476 state: 4477 description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final' 4478 type: string 4479 enum: 4480 - valid 4481 - ready 4482 - pending 4483 - processing 4484 - invalid 4485 - expired 4486 - errored 4487 url: 4488 description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set. 4489 type: string 4490 served: true 4491 storage: true 4492 --- 4493 # Source: cert-manager/templates/cainjector-serviceaccount.yaml 4494 apiVersion: v1 4495 kind: ServiceAccount 4496 automountServiceAccountToken: true 4497 metadata: 4498 name: cert-manager-cainjector 4499 namespace: cert-manager 4500 labels: 4501 app: cainjector 4502 app.kubernetes.io/name: cainjector 4503 app.kubernetes.io/instance: cert-manager 4504 app.kubernetes.io/component: "cainjector" 4505 app.kubernetes.io/version: "v1.12.3" 4506 --- 4507 # Source: cert-manager/templates/serviceaccount.yaml 4508 apiVersion: v1 4509 kind: ServiceAccount 4510 automountServiceAccountToken: true 4511 metadata: 4512 name: cert-manager 4513 namespace: cert-manager 4514 labels: 4515 app: cert-manager 4516 app.kubernetes.io/name: cert-manager 4517 app.kubernetes.io/instance: cert-manager 4518 app.kubernetes.io/component: "controller" 4519 app.kubernetes.io/version: "v1.12.3" 4520 --- 4521 # Source: cert-manager/templates/webhook-serviceaccount.yaml 4522 apiVersion: v1 4523 kind: ServiceAccount 4524 automountServiceAccountToken: true 4525 metadata: 4526 name: cert-manager-webhook 4527 namespace: cert-manager 4528 labels: 4529 app: webhook 4530 app.kubernetes.io/name: webhook 4531 app.kubernetes.io/instance: cert-manager 4532 app.kubernetes.io/component: "webhook" 4533 app.kubernetes.io/version: "v1.12.3" 4534 --- 4535 # Source: cert-manager/templates/webhook-config.yaml 4536 apiVersion: v1 4537 kind: ConfigMap 4538 metadata: 4539 name: cert-manager-webhook 4540 namespace: cert-manager 4541 labels: 4542 app: webhook 4543 app.kubernetes.io/name: webhook 4544 app.kubernetes.io/instance: cert-manager 4545 app.kubernetes.io/component: "webhook" 4546 app.kubernetes.io/version: "v1.12.3" 4547 data: 4548 --- 4549 # Source: cert-manager/templates/cainjector-rbac.yaml 4550 apiVersion: rbac.authorization.k8s.io/v1 4551 kind: ClusterRole 4552 metadata: 4553 name: cert-manager-cainjector 4554 labels: 4555 app: cainjector 4556 app.kubernetes.io/name: cainjector 4557 app.kubernetes.io/instance: cert-manager 4558 app.kubernetes.io/component: "cainjector" 4559 app.kubernetes.io/version: "v1.12.3" 4560 rules: 4561 - apiGroups: ["cert-manager.io"] 4562 resources: ["certificates"] 4563 verbs: ["get", "list", "watch"] 4564 - apiGroups: [""] 4565 resources: ["secrets"] 4566 verbs: ["get", "list", "watch"] 4567 - apiGroups: [""] 4568 resources: ["events"] 4569 verbs: ["get", "create", "update", "patch"] 4570 - apiGroups: ["admissionregistration.k8s.io"] 4571 resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] 4572 verbs: ["get", "list", "watch", "update", "patch"] 4573 - apiGroups: ["apiregistration.k8s.io"] 4574 resources: ["apiservices"] 4575 verbs: ["get", "list", "watch", "update", "patch"] 4576 - apiGroups: ["apiextensions.k8s.io"] 4577 resources: ["customresourcedefinitions"] 4578 verbs: ["get", "list", "watch", "update", "patch"] 4579 --- 4580 # Source: cert-manager/templates/rbac.yaml 4581 # Issuer controller role 4582 apiVersion: rbac.authorization.k8s.io/v1 4583 kind: ClusterRole 4584 metadata: 4585 name: cert-manager-controller-issuers 4586 labels: 4587 app: cert-manager 4588 app.kubernetes.io/name: cert-manager 4589 app.kubernetes.io/instance: cert-manager 4590 app.kubernetes.io/component: "controller" 4591 app.kubernetes.io/version: "v1.12.3" 4592 rules: 4593 - apiGroups: ["cert-manager.io"] 4594 resources: ["issuers", "issuers/status"] 4595 verbs: ["update", "patch"] 4596 - apiGroups: ["cert-manager.io"] 4597 resources: ["issuers"] 4598 verbs: ["get", "list", "watch"] 4599 - apiGroups: [""] 4600 resources: ["secrets"] 4601 verbs: ["get", "list", "watch", "create", "update", "delete"] 4602 - apiGroups: [""] 4603 resources: ["events"] 4604 verbs: ["create", "patch"] 4605 --- 4606 # Source: cert-manager/templates/rbac.yaml 4607 # ClusterIssuer controller role 4608 apiVersion: rbac.authorization.k8s.io/v1 4609 kind: ClusterRole 4610 metadata: 4611 name: cert-manager-controller-clusterissuers 4612 labels: 4613 app: cert-manager 4614 app.kubernetes.io/name: cert-manager 4615 app.kubernetes.io/instance: cert-manager 4616 app.kubernetes.io/component: "controller" 4617 app.kubernetes.io/version: "v1.12.3" 4618 rules: 4619 - apiGroups: ["cert-manager.io"] 4620 resources: ["clusterissuers", "clusterissuers/status"] 4621 verbs: ["update", "patch"] 4622 - apiGroups: ["cert-manager.io"] 4623 resources: ["clusterissuers"] 4624 verbs: ["get", "list", "watch"] 4625 - apiGroups: [""] 4626 resources: ["secrets"] 4627 verbs: ["get", "list", "watch", "create", "update", "delete"] 4628 - apiGroups: [""] 4629 resources: ["events"] 4630 verbs: ["create", "patch"] 4631 --- 4632 # Source: cert-manager/templates/rbac.yaml 4633 # Certificates controller role 4634 apiVersion: rbac.authorization.k8s.io/v1 4635 kind: ClusterRole 4636 metadata: 4637 name: cert-manager-controller-certificates 4638 labels: 4639 app: cert-manager 4640 app.kubernetes.io/name: cert-manager 4641 app.kubernetes.io/instance: cert-manager 4642 app.kubernetes.io/component: "controller" 4643 app.kubernetes.io/version: "v1.12.3" 4644 rules: 4645 - apiGroups: ["cert-manager.io"] 4646 resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"] 4647 verbs: ["update", "patch"] 4648 - apiGroups: ["cert-manager.io"] 4649 resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"] 4650 verbs: ["get", "list", "watch"] 4651 # We require these rules to support users with the OwnerReferencesPermissionEnforcement 4652 # admission controller enabled: 4653 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement 4654 - apiGroups: ["cert-manager.io"] 4655 resources: ["certificates/finalizers", "certificaterequests/finalizers"] 4656 verbs: ["update"] 4657 - apiGroups: ["acme.cert-manager.io"] 4658 resources: ["orders"] 4659 verbs: ["create", "delete", "get", "list", "watch"] 4660 - apiGroups: [""] 4661 resources: ["secrets"] 4662 verbs: ["get", "list", "watch", "create", "update", "delete", "patch"] 4663 - apiGroups: [""] 4664 resources: ["events"] 4665 verbs: ["create", "patch"] 4666 --- 4667 # Source: cert-manager/templates/rbac.yaml 4668 # Orders controller role 4669 apiVersion: rbac.authorization.k8s.io/v1 4670 kind: ClusterRole 4671 metadata: 4672 name: cert-manager-controller-orders 4673 labels: 4674 app: cert-manager 4675 app.kubernetes.io/name: cert-manager 4676 app.kubernetes.io/instance: cert-manager 4677 app.kubernetes.io/component: "controller" 4678 app.kubernetes.io/version: "v1.12.3" 4679 rules: 4680 - apiGroups: ["acme.cert-manager.io"] 4681 resources: ["orders", "orders/status"] 4682 verbs: ["update", "patch"] 4683 - apiGroups: ["acme.cert-manager.io"] 4684 resources: ["orders", "challenges"] 4685 verbs: ["get", "list", "watch"] 4686 - apiGroups: ["cert-manager.io"] 4687 resources: ["clusterissuers", "issuers"] 4688 verbs: ["get", "list", "watch"] 4689 - apiGroups: ["acme.cert-manager.io"] 4690 resources: ["challenges"] 4691 verbs: ["create", "delete"] 4692 # We require these rules to support users with the OwnerReferencesPermissionEnforcement 4693 # admission controller enabled: 4694 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement 4695 - apiGroups: ["acme.cert-manager.io"] 4696 resources: ["orders/finalizers"] 4697 verbs: ["update"] 4698 - apiGroups: [""] 4699 resources: ["secrets"] 4700 verbs: ["get", "list", "watch"] 4701 - apiGroups: [""] 4702 resources: ["events"] 4703 verbs: ["create", "patch"] 4704 --- 4705 # Source: cert-manager/templates/rbac.yaml 4706 # Challenges controller role 4707 apiVersion: rbac.authorization.k8s.io/v1 4708 kind: ClusterRole 4709 metadata: 4710 name: cert-manager-controller-challenges 4711 labels: 4712 app: cert-manager 4713 app.kubernetes.io/name: cert-manager 4714 app.kubernetes.io/instance: cert-manager 4715 app.kubernetes.io/component: "controller" 4716 app.kubernetes.io/version: "v1.12.3" 4717 rules: 4718 # Use to update challenge resource status 4719 - apiGroups: ["acme.cert-manager.io"] 4720 resources: ["challenges", "challenges/status"] 4721 verbs: ["update", "patch"] 4722 # Used to watch challenge resources 4723 - apiGroups: ["acme.cert-manager.io"] 4724 resources: ["challenges"] 4725 verbs: ["get", "list", "watch"] 4726 # Used to watch challenges, issuer and clusterissuer resources 4727 - apiGroups: ["cert-manager.io"] 4728 resources: ["issuers", "clusterissuers"] 4729 verbs: ["get", "list", "watch"] 4730 # Need to be able to retrieve ACME account private key to complete challenges 4731 - apiGroups: [""] 4732 resources: ["secrets"] 4733 verbs: ["get", "list", "watch"] 4734 # Used to create events 4735 - apiGroups: [""] 4736 resources: ["events"] 4737 verbs: ["create", "patch"] 4738 # HTTP01 rules 4739 - apiGroups: [""] 4740 resources: ["pods", "services"] 4741 verbs: ["get", "list", "watch", "create", "delete"] 4742 - apiGroups: ["networking.k8s.io"] 4743 resources: ["ingresses"] 4744 verbs: ["get", "list", "watch", "create", "delete", "update"] 4745 - apiGroups: [ "gateway.networking.k8s.io" ] 4746 resources: [ "httproutes" ] 4747 verbs: ["get", "list", "watch", "create", "delete", "update"] 4748 # We require the ability to specify a custom hostname when we are creating 4749 # new ingress resources. 4750 # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148 4751 - apiGroups: ["route.openshift.io"] 4752 resources: ["routes/custom-host"] 4753 verbs: ["create"] 4754 # We require these rules to support users with the OwnerReferencesPermissionEnforcement 4755 # admission controller enabled: 4756 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement 4757 - apiGroups: ["acme.cert-manager.io"] 4758 resources: ["challenges/finalizers"] 4759 verbs: ["update"] 4760 # DNS01 rules (duplicated above) 4761 - apiGroups: [""] 4762 resources: ["secrets"] 4763 verbs: ["get", "list", "watch"] 4764 --- 4765 # Source: cert-manager/templates/rbac.yaml 4766 # ingress-shim controller role 4767 apiVersion: rbac.authorization.k8s.io/v1 4768 kind: ClusterRole 4769 metadata: 4770 name: cert-manager-controller-ingress-shim 4771 labels: 4772 app: cert-manager 4773 app.kubernetes.io/name: cert-manager 4774 app.kubernetes.io/instance: cert-manager 4775 app.kubernetes.io/component: "controller" 4776 app.kubernetes.io/version: "v1.12.3" 4777 rules: 4778 - apiGroups: ["cert-manager.io"] 4779 resources: ["certificates", "certificaterequests"] 4780 verbs: ["create", "update", "delete"] 4781 - apiGroups: ["cert-manager.io"] 4782 resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"] 4783 verbs: ["get", "list", "watch"] 4784 - apiGroups: ["networking.k8s.io"] 4785 resources: ["ingresses"] 4786 verbs: ["get", "list", "watch"] 4787 # We require these rules to support users with the OwnerReferencesPermissionEnforcement 4788 # admission controller enabled: 4789 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement 4790 - apiGroups: ["networking.k8s.io"] 4791 resources: ["ingresses/finalizers"] 4792 verbs: ["update"] 4793 - apiGroups: ["gateway.networking.k8s.io"] 4794 resources: ["gateways", "httproutes"] 4795 verbs: ["get", "list", "watch"] 4796 - apiGroups: ["gateway.networking.k8s.io"] 4797 resources: ["gateways/finalizers", "httproutes/finalizers"] 4798 verbs: ["update"] 4799 - apiGroups: [""] 4800 resources: ["events"] 4801 verbs: ["create", "patch"] 4802 --- 4803 # Source: cert-manager/templates/rbac.yaml 4804 apiVersion: rbac.authorization.k8s.io/v1 4805 kind: ClusterRole 4806 metadata: 4807 name: cert-manager-view 4808 labels: 4809 app: cert-manager 4810 app.kubernetes.io/name: cert-manager 4811 app.kubernetes.io/instance: cert-manager 4812 app.kubernetes.io/component: "controller" 4813 app.kubernetes.io/version: "v1.12.3" 4814 rbac.authorization.k8s.io/aggregate-to-view: "true" 4815 rbac.authorization.k8s.io/aggregate-to-edit: "true" 4816 rbac.authorization.k8s.io/aggregate-to-admin: "true" 4817 rules: 4818 - apiGroups: ["cert-manager.io"] 4819 resources: ["certificates", "certificaterequests", "issuers"] 4820 verbs: ["get", "list", "watch"] 4821 - apiGroups: ["acme.cert-manager.io"] 4822 resources: ["challenges", "orders"] 4823 verbs: ["get", "list", "watch"] 4824 --- 4825 # Source: cert-manager/templates/rbac.yaml 4826 apiVersion: rbac.authorization.k8s.io/v1 4827 kind: ClusterRole 4828 metadata: 4829 name: cert-manager-edit 4830 labels: 4831 app: cert-manager 4832 app.kubernetes.io/name: cert-manager 4833 app.kubernetes.io/instance: cert-manager 4834 app.kubernetes.io/component: "controller" 4835 app.kubernetes.io/version: "v1.12.3" 4836 rbac.authorization.k8s.io/aggregate-to-edit: "true" 4837 rbac.authorization.k8s.io/aggregate-to-admin: "true" 4838 rules: 4839 - apiGroups: ["cert-manager.io"] 4840 resources: ["certificates", "certificaterequests", "issuers"] 4841 verbs: ["create", "delete", "deletecollection", "patch", "update"] 4842 - apiGroups: ["cert-manager.io"] 4843 resources: ["certificates/status"] 4844 verbs: ["update"] 4845 - apiGroups: ["acme.cert-manager.io"] 4846 resources: ["challenges", "orders"] 4847 verbs: ["create", "delete", "deletecollection", "patch", "update"] 4848 --- 4849 # Source: cert-manager/templates/rbac.yaml 4850 # Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers 4851 apiVersion: rbac.authorization.k8s.io/v1 4852 kind: ClusterRole 4853 metadata: 4854 name: cert-manager-controller-approve:cert-manager-io 4855 labels: 4856 app: cert-manager 4857 app.kubernetes.io/name: cert-manager 4858 app.kubernetes.io/instance: cert-manager 4859 app.kubernetes.io/component: "cert-manager" 4860 app.kubernetes.io/version: "v1.12.3" 4861 rules: 4862 - apiGroups: ["cert-manager.io"] 4863 resources: ["signers"] 4864 verbs: ["approve"] 4865 resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"] 4866 --- 4867 # Source: cert-manager/templates/rbac.yaml 4868 # Permission to: 4869 # - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers 4870 # - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers 4871 apiVersion: rbac.authorization.k8s.io/v1 4872 kind: ClusterRole 4873 metadata: 4874 name: cert-manager-controller-certificatesigningrequests 4875 labels: 4876 app: cert-manager 4877 app.kubernetes.io/name: cert-manager 4878 app.kubernetes.io/instance: cert-manager 4879 app.kubernetes.io/component: "cert-manager" 4880 app.kubernetes.io/version: "v1.12.3" 4881 rules: 4882 - apiGroups: ["certificates.k8s.io"] 4883 resources: ["certificatesigningrequests"] 4884 verbs: ["get", "list", "watch", "update"] 4885 - apiGroups: ["certificates.k8s.io"] 4886 resources: ["certificatesigningrequests/status"] 4887 verbs: ["update", "patch"] 4888 - apiGroups: ["certificates.k8s.io"] 4889 resources: ["signers"] 4890 resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"] 4891 verbs: ["sign"] 4892 - apiGroups: ["authorization.k8s.io"] 4893 resources: ["subjectaccessreviews"] 4894 verbs: ["create"] 4895 --- 4896 # Source: cert-manager/templates/webhook-rbac.yaml 4897 apiVersion: rbac.authorization.k8s.io/v1 4898 kind: ClusterRole 4899 metadata: 4900 name: cert-manager-webhook:subjectaccessreviews 4901 labels: 4902 app: webhook 4903 app.kubernetes.io/name: webhook 4904 app.kubernetes.io/instance: cert-manager 4905 app.kubernetes.io/component: "webhook" 4906 app.kubernetes.io/version: "v1.12.3" 4907 rules: 4908 - apiGroups: ["authorization.k8s.io"] 4909 resources: ["subjectaccessreviews"] 4910 verbs: ["create"] 4911 --- 4912 # Source: cert-manager/templates/cainjector-rbac.yaml 4913 apiVersion: rbac.authorization.k8s.io/v1 4914 kind: ClusterRoleBinding 4915 metadata: 4916 name: cert-manager-cainjector 4917 labels: 4918 app: cainjector 4919 app.kubernetes.io/name: cainjector 4920 app.kubernetes.io/instance: cert-manager 4921 app.kubernetes.io/component: "cainjector" 4922 app.kubernetes.io/version: "v1.12.3" 4923 roleRef: 4924 apiGroup: rbac.authorization.k8s.io 4925 kind: ClusterRole 4926 name: cert-manager-cainjector 4927 subjects: 4928 - name: cert-manager-cainjector 4929 namespace: cert-manager 4930 kind: ServiceAccount 4931 --- 4932 # Source: cert-manager/templates/rbac.yaml 4933 apiVersion: rbac.authorization.k8s.io/v1 4934 kind: ClusterRoleBinding 4935 metadata: 4936 name: cert-manager-controller-issuers 4937 labels: 4938 app: cert-manager 4939 app.kubernetes.io/name: cert-manager 4940 app.kubernetes.io/instance: cert-manager 4941 app.kubernetes.io/component: "controller" 4942 app.kubernetes.io/version: "v1.12.3" 4943 roleRef: 4944 apiGroup: rbac.authorization.k8s.io 4945 kind: ClusterRole 4946 name: cert-manager-controller-issuers 4947 subjects: 4948 - name: cert-manager 4949 namespace: cert-manager 4950 kind: ServiceAccount 4951 --- 4952 # Source: cert-manager/templates/rbac.yaml 4953 apiVersion: rbac.authorization.k8s.io/v1 4954 kind: ClusterRoleBinding 4955 metadata: 4956 name: cert-manager-controller-clusterissuers 4957 labels: 4958 app: cert-manager 4959 app.kubernetes.io/name: cert-manager 4960 app.kubernetes.io/instance: cert-manager 4961 app.kubernetes.io/component: "controller" 4962 app.kubernetes.io/version: "v1.12.3" 4963 roleRef: 4964 apiGroup: rbac.authorization.k8s.io 4965 kind: ClusterRole 4966 name: cert-manager-controller-clusterissuers 4967 subjects: 4968 - name: cert-manager 4969 namespace: cert-manager 4970 kind: ServiceAccount 4971 --- 4972 # Source: cert-manager/templates/rbac.yaml 4973 apiVersion: rbac.authorization.k8s.io/v1 4974 kind: ClusterRoleBinding 4975 metadata: 4976 name: cert-manager-controller-certificates 4977 labels: 4978 app: cert-manager 4979 app.kubernetes.io/name: cert-manager 4980 app.kubernetes.io/instance: cert-manager 4981 app.kubernetes.io/component: "controller" 4982 app.kubernetes.io/version: "v1.12.3" 4983 roleRef: 4984 apiGroup: rbac.authorization.k8s.io 4985 kind: ClusterRole 4986 name: cert-manager-controller-certificates 4987 subjects: 4988 - name: cert-manager 4989 namespace: cert-manager 4990 kind: ServiceAccount 4991 --- 4992 # Source: cert-manager/templates/rbac.yaml 4993 apiVersion: rbac.authorization.k8s.io/v1 4994 kind: ClusterRoleBinding 4995 metadata: 4996 name: cert-manager-controller-orders 4997 labels: 4998 app: cert-manager 4999 app.kubernetes.io/name: cert-manager 5000 app.kubernetes.io/instance: cert-manager 5001 app.kubernetes.io/component: "controller" 5002 app.kubernetes.io/version: "v1.12.3" 5003 roleRef: 5004 apiGroup: rbac.authorization.k8s.io 5005 kind: ClusterRole 5006 name: cert-manager-controller-orders 5007 subjects: 5008 - name: cert-manager 5009 namespace: cert-manager 5010 kind: ServiceAccount 5011 --- 5012 # Source: cert-manager/templates/rbac.yaml 5013 apiVersion: rbac.authorization.k8s.io/v1 5014 kind: ClusterRoleBinding 5015 metadata: 5016 name: cert-manager-controller-challenges 5017 labels: 5018 app: cert-manager 5019 app.kubernetes.io/name: cert-manager 5020 app.kubernetes.io/instance: cert-manager 5021 app.kubernetes.io/component: "controller" 5022 app.kubernetes.io/version: "v1.12.3" 5023 roleRef: 5024 apiGroup: rbac.authorization.k8s.io 5025 kind: ClusterRole 5026 name: cert-manager-controller-challenges 5027 subjects: 5028 - name: cert-manager 5029 namespace: cert-manager 5030 kind: ServiceAccount 5031 --- 5032 # Source: cert-manager/templates/rbac.yaml 5033 apiVersion: rbac.authorization.k8s.io/v1 5034 kind: ClusterRoleBinding 5035 metadata: 5036 name: cert-manager-controller-ingress-shim 5037 labels: 5038 app: cert-manager 5039 app.kubernetes.io/name: cert-manager 5040 app.kubernetes.io/instance: cert-manager 5041 app.kubernetes.io/component: "controller" 5042 app.kubernetes.io/version: "v1.12.3" 5043 roleRef: 5044 apiGroup: rbac.authorization.k8s.io 5045 kind: ClusterRole 5046 name: cert-manager-controller-ingress-shim 5047 subjects: 5048 - name: cert-manager 5049 namespace: cert-manager 5050 kind: ServiceAccount 5051 --- 5052 # Source: cert-manager/templates/rbac.yaml 5053 apiVersion: rbac.authorization.k8s.io/v1 5054 kind: ClusterRoleBinding 5055 metadata: 5056 name: cert-manager-controller-approve:cert-manager-io 5057 labels: 5058 app: cert-manager 5059 app.kubernetes.io/name: cert-manager 5060 app.kubernetes.io/instance: cert-manager 5061 app.kubernetes.io/component: "cert-manager" 5062 app.kubernetes.io/version: "v1.12.3" 5063 roleRef: 5064 apiGroup: rbac.authorization.k8s.io 5065 kind: ClusterRole 5066 name: cert-manager-controller-approve:cert-manager-io 5067 subjects: 5068 - name: cert-manager 5069 namespace: cert-manager 5070 kind: ServiceAccount 5071 --- 5072 # Source: cert-manager/templates/rbac.yaml 5073 apiVersion: rbac.authorization.k8s.io/v1 5074 kind: ClusterRoleBinding 5075 metadata: 5076 name: cert-manager-controller-certificatesigningrequests 5077 labels: 5078 app: cert-manager 5079 app.kubernetes.io/name: cert-manager 5080 app.kubernetes.io/instance: cert-manager 5081 app.kubernetes.io/component: "cert-manager" 5082 app.kubernetes.io/version: "v1.12.3" 5083 roleRef: 5084 apiGroup: rbac.authorization.k8s.io 5085 kind: ClusterRole 5086 name: cert-manager-controller-certificatesigningrequests 5087 subjects: 5088 - name: cert-manager 5089 namespace: cert-manager 5090 kind: ServiceAccount 5091 --- 5092 # Source: cert-manager/templates/webhook-rbac.yaml 5093 apiVersion: rbac.authorization.k8s.io/v1 5094 kind: ClusterRoleBinding 5095 metadata: 5096 name: cert-manager-webhook:subjectaccessreviews 5097 labels: 5098 app: webhook 5099 app.kubernetes.io/name: webhook 5100 app.kubernetes.io/instance: cert-manager 5101 app.kubernetes.io/component: "webhook" 5102 app.kubernetes.io/version: "v1.12.3" 5103 roleRef: 5104 apiGroup: rbac.authorization.k8s.io 5105 kind: ClusterRole 5106 name: cert-manager-webhook:subjectaccessreviews 5107 subjects: 5108 - apiGroup: "" 5109 kind: ServiceAccount 5110 name: cert-manager-webhook 5111 namespace: cert-manager 5112 --- 5113 # Source: cert-manager/templates/cainjector-rbac.yaml 5114 # leader election rules 5115 apiVersion: rbac.authorization.k8s.io/v1 5116 kind: Role 5117 metadata: 5118 name: cert-manager-cainjector:leaderelection 5119 namespace: kube-system 5120 labels: 5121 app: cainjector 5122 app.kubernetes.io/name: cainjector 5123 app.kubernetes.io/instance: cert-manager 5124 app.kubernetes.io/component: "cainjector" 5125 app.kubernetes.io/version: "v1.12.3" 5126 rules: 5127 # Used for leader election by the controller 5128 # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller 5129 # see cmd/cainjector/start.go#L113 5130 # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller 5131 # see cmd/cainjector/start.go#L137 5132 - apiGroups: ["coordination.k8s.io"] 5133 resources: ["leases"] 5134 resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"] 5135 verbs: ["get", "update", "patch"] 5136 - apiGroups: ["coordination.k8s.io"] 5137 resources: ["leases"] 5138 verbs: ["create"] 5139 --- 5140 # Source: cert-manager/templates/rbac.yaml 5141 apiVersion: rbac.authorization.k8s.io/v1 5142 kind: Role 5143 metadata: 5144 name: cert-manager:leaderelection 5145 namespace: kube-system 5146 labels: 5147 app: cert-manager 5148 app.kubernetes.io/name: cert-manager 5149 app.kubernetes.io/instance: cert-manager 5150 app.kubernetes.io/component: "controller" 5151 app.kubernetes.io/version: "v1.12.3" 5152 rules: 5153 - apiGroups: ["coordination.k8s.io"] 5154 resources: ["leases"] 5155 resourceNames: ["cert-manager-controller"] 5156 verbs: ["get", "update", "patch"] 5157 - apiGroups: ["coordination.k8s.io"] 5158 resources: ["leases"] 5159 verbs: ["create"] 5160 --- 5161 # Source: cert-manager/templates/webhook-rbac.yaml 5162 apiVersion: rbac.authorization.k8s.io/v1 5163 kind: Role 5164 metadata: 5165 name: cert-manager-webhook:dynamic-serving 5166 namespace: cert-manager 5167 labels: 5168 app: webhook 5169 app.kubernetes.io/name: webhook 5170 app.kubernetes.io/instance: cert-manager 5171 app.kubernetes.io/component: "webhook" 5172 app.kubernetes.io/version: "v1.12.3" 5173 rules: 5174 - apiGroups: [""] 5175 resources: ["secrets"] 5176 resourceNames: 5177 - 'cert-manager-webhook-ca' 5178 verbs: ["get", "list", "watch", "update"] 5179 # It's not possible to grant CREATE permission on a single resourceName. 5180 - apiGroups: [""] 5181 resources: ["secrets"] 5182 verbs: ["create"] 5183 --- 5184 # Source: cert-manager/templates/cainjector-rbac.yaml 5185 # grant cert-manager permission to manage the leaderelection configmap in the 5186 # leader election namespace 5187 apiVersion: rbac.authorization.k8s.io/v1 5188 kind: RoleBinding 5189 metadata: 5190 name: cert-manager-cainjector:leaderelection 5191 namespace: kube-system 5192 labels: 5193 app: cainjector 5194 app.kubernetes.io/name: cainjector 5195 app.kubernetes.io/instance: cert-manager 5196 app.kubernetes.io/component: "cainjector" 5197 app.kubernetes.io/version: "v1.12.3" 5198 roleRef: 5199 apiGroup: rbac.authorization.k8s.io 5200 kind: Role 5201 name: cert-manager-cainjector:leaderelection 5202 subjects: 5203 - kind: ServiceAccount 5204 name: cert-manager-cainjector 5205 namespace: cert-manager 5206 --- 5207 # Source: cert-manager/templates/rbac.yaml 5208 # grant cert-manager permission to manage the leaderelection configmap in the 5209 # leader election namespace 5210 apiVersion: rbac.authorization.k8s.io/v1 5211 kind: RoleBinding 5212 metadata: 5213 name: cert-manager:leaderelection 5214 namespace: kube-system 5215 labels: 5216 app: cert-manager 5217 app.kubernetes.io/name: cert-manager 5218 app.kubernetes.io/instance: cert-manager 5219 app.kubernetes.io/component: "controller" 5220 app.kubernetes.io/version: "v1.12.3" 5221 roleRef: 5222 apiGroup: rbac.authorization.k8s.io 5223 kind: Role 5224 name: cert-manager:leaderelection 5225 subjects: 5226 - apiGroup: "" 5227 kind: ServiceAccount 5228 name: cert-manager 5229 namespace: cert-manager 5230 --- 5231 # Source: cert-manager/templates/webhook-rbac.yaml 5232 apiVersion: rbac.authorization.k8s.io/v1 5233 kind: RoleBinding 5234 metadata: 5235 name: cert-manager-webhook:dynamic-serving 5236 namespace: cert-manager 5237 labels: 5238 app: webhook 5239 app.kubernetes.io/name: webhook 5240 app.kubernetes.io/instance: cert-manager 5241 app.kubernetes.io/component: "webhook" 5242 app.kubernetes.io/version: "v1.12.3" 5243 roleRef: 5244 apiGroup: rbac.authorization.k8s.io 5245 kind: Role 5246 name: cert-manager-webhook:dynamic-serving 5247 subjects: 5248 - apiGroup: "" 5249 kind: ServiceAccount 5250 name: cert-manager-webhook 5251 namespace: cert-manager 5252 --- 5253 # Source: cert-manager/templates/service.yaml 5254 apiVersion: v1 5255 kind: Service 5256 metadata: 5257 name: cert-manager 5258 namespace: cert-manager 5259 labels: 5260 app: cert-manager 5261 app.kubernetes.io/name: cert-manager 5262 app.kubernetes.io/instance: cert-manager 5263 app.kubernetes.io/component: "controller" 5264 app.kubernetes.io/version: "v1.12.3" 5265 spec: 5266 type: ClusterIP 5267 ports: 5268 - protocol: TCP 5269 port: 9402 5270 name: tcp-prometheus-servicemonitor 5271 targetPort: 9402 5272 selector: 5273 app.kubernetes.io/name: cert-manager 5274 app.kubernetes.io/instance: cert-manager 5275 app.kubernetes.io/component: "controller" 5276 --- 5277 # Source: cert-manager/templates/webhook-service.yaml 5278 apiVersion: v1 5279 kind: Service 5280 metadata: 5281 name: cert-manager-webhook 5282 namespace: cert-manager 5283 labels: 5284 app: webhook 5285 app.kubernetes.io/name: webhook 5286 app.kubernetes.io/instance: cert-manager 5287 app.kubernetes.io/component: "webhook" 5288 app.kubernetes.io/version: "v1.12.3" 5289 spec: 5290 type: ClusterIP 5291 ports: 5292 - name: https 5293 port: 443 5294 protocol: TCP 5295 targetPort: "https" 5296 selector: 5297 app.kubernetes.io/name: webhook 5298 app.kubernetes.io/instance: cert-manager 5299 app.kubernetes.io/component: "webhook" 5300 --- 5301 # Source: cert-manager/templates/cainjector-deployment.yaml 5302 apiVersion: apps/v1 5303 kind: Deployment 5304 metadata: 5305 name: cert-manager-cainjector 5306 namespace: cert-manager 5307 labels: 5308 app: cainjector 5309 app.kubernetes.io/name: cainjector 5310 app.kubernetes.io/instance: cert-manager 5311 app.kubernetes.io/component: "cainjector" 5312 app.kubernetes.io/version: "v1.12.3" 5313 spec: 5314 replicas: 1 5315 selector: 5316 matchLabels: 5317 app.kubernetes.io/name: cainjector 5318 app.kubernetes.io/instance: cert-manager 5319 app.kubernetes.io/component: "cainjector" 5320 template: 5321 metadata: 5322 labels: 5323 app: cainjector 5324 app.kubernetes.io/name: cainjector 5325 app.kubernetes.io/instance: cert-manager 5326 app.kubernetes.io/component: "cainjector" 5327 app.kubernetes.io/version: "v1.12.3" 5328 spec: 5329 serviceAccountName: cert-manager-cainjector 5330 securityContext: 5331 runAsNonRoot: true 5332 seccompProfile: 5333 type: RuntimeDefault 5334 containers: 5335 - name: cert-manager-cainjector 5336 image: {{ .Values.images.defaultImage.registry }}/{{ .Values.images.cainjector.repository }}:{{ .Values.images.defaultImage.tag }} 5337 imagePullPolicy: {{ .Values.images.defaultImage.pullPolicy }} 5338 args: 5339 - --v=2 5340 - --leader-election-namespace=kube-system 5341 env: 5342 - name: POD_NAMESPACE 5343 valueFrom: 5344 fieldRef: 5345 fieldPath: metadata.namespace 5346 securityContext: 5347 allowPrivilegeEscalation: false 5348 capabilities: 5349 drop: 5350 - ALL 5351 nodeSelector: 5352 kubernetes.io/os: linux 5353 --- 5354 # Source: cert-manager/templates/deployment.yaml 5355 apiVersion: apps/v1 5356 kind: Deployment 5357 metadata: 5358 name: cert-manager 5359 namespace: cert-manager 5360 labels: 5361 app: cert-manager 5362 app.kubernetes.io/name: cert-manager 5363 app.kubernetes.io/instance: cert-manager 5364 app.kubernetes.io/component: "controller" 5365 app.kubernetes.io/version: "v1.12.3" 5366 spec: 5367 replicas: 1 5368 selector: 5369 matchLabels: 5370 app.kubernetes.io/name: cert-manager 5371 app.kubernetes.io/instance: cert-manager 5372 app.kubernetes.io/component: "controller" 5373 template: 5374 metadata: 5375 labels: 5376 app: cert-manager 5377 app.kubernetes.io/name: cert-manager 5378 app.kubernetes.io/instance: cert-manager 5379 app.kubernetes.io/component: "controller" 5380 app.kubernetes.io/version: "v1.12.3" 5381 annotations: 5382 prometheus.io/path: "/metrics" 5383 prometheus.io/scrape: 'true' 5384 prometheus.io/port: '9402' 5385 spec: 5386 serviceAccountName: cert-manager 5387 securityContext: 5388 runAsNonRoot: true 5389 seccompProfile: 5390 type: RuntimeDefault 5391 containers: 5392 - name: cert-manager-controller 5393 image: {{ .Values.images.defaultImage.registry }}/{{ .Values.images.controller.repository }}:{{ .Values.images.defaultImage.tag }} 5394 imagePullPolicy: {{ .Values.images.defaultImage.pullPolicy }} 5395 args: 5396 - --v=2 5397 - --cluster-resource-namespace=$(POD_NAMESPACE) 5398 - --leader-election-namespace=kube-system 5399 - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.12.3 5400 - --max-concurrent-challenges=60 5401 ports: 5402 - containerPort: 9402 5403 name: http-metrics 5404 protocol: TCP 5405 - containerPort: 9403 5406 name: http-healthz 5407 protocol: TCP 5408 securityContext: 5409 allowPrivilegeEscalation: false 5410 capabilities: 5411 drop: 5412 - ALL 5413 env: 5414 - name: POD_NAMESPACE 5415 valueFrom: 5416 fieldRef: 5417 fieldPath: metadata.namespace 5418 nodeSelector: 5419 kubernetes.io/os: linux 5420 --- 5421 # Source: cert-manager/templates/webhook-deployment.yaml 5422 apiVersion: apps/v1 5423 kind: Deployment 5424 metadata: 5425 name: cert-manager-webhook 5426 namespace: cert-manager 5427 labels: 5428 app: webhook 5429 app.kubernetes.io/name: webhook 5430 app.kubernetes.io/instance: cert-manager 5431 app.kubernetes.io/component: "webhook" 5432 app.kubernetes.io/version: "v1.12.3" 5433 spec: 5434 replicas: 1 5435 selector: 5436 matchLabels: 5437 app.kubernetes.io/name: webhook 5438 app.kubernetes.io/instance: cert-manager 5439 app.kubernetes.io/component: "webhook" 5440 template: 5441 metadata: 5442 labels: 5443 app: webhook 5444 app.kubernetes.io/name: webhook 5445 app.kubernetes.io/instance: cert-manager 5446 app.kubernetes.io/component: "webhook" 5447 app.kubernetes.io/version: "v1.12.3" 5448 spec: 5449 serviceAccountName: cert-manager-webhook 5450 securityContext: 5451 runAsNonRoot: true 5452 seccompProfile: 5453 type: RuntimeDefault 5454 containers: 5455 - name: cert-manager-webhook 5456 image: {{ .Values.images.defaultImage.registry }}/{{ .Values.images.webhook.repository }}:{{ .Values.images.defaultImage.tag }} 5457 imagePullPolicy: {{ .Values.images.defaultImage.pullPolicy }} 5458 args: 5459 - --v=2 5460 - --secure-port=10250 5461 - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE) 5462 - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca 5463 - --dynamic-serving-dns-names=cert-manager-webhook 5464 - --dynamic-serving-dns-names=cert-manager-webhook.$(POD_NAMESPACE) 5465 - --dynamic-serving-dns-names=cert-manager-webhook.$(POD_NAMESPACE).svc 5466 5467 ports: 5468 - name: https 5469 protocol: TCP 5470 containerPort: 10250 5471 - name: healthcheck 5472 protocol: TCP 5473 containerPort: 6080 5474 livenessProbe: 5475 httpGet: 5476 path: /livez 5477 port: 6080 5478 scheme: HTTP 5479 initialDelaySeconds: 60 5480 periodSeconds: 10 5481 timeoutSeconds: 1 5482 successThreshold: 1 5483 failureThreshold: 3 5484 readinessProbe: 5485 httpGet: 5486 path: /healthz 5487 port: 6080 5488 scheme: HTTP 5489 initialDelaySeconds: 5 5490 periodSeconds: 5 5491 timeoutSeconds: 1 5492 successThreshold: 1 5493 failureThreshold: 3 5494 securityContext: 5495 allowPrivilegeEscalation: false 5496 capabilities: 5497 drop: 5498 - ALL 5499 env: 5500 - name: POD_NAMESPACE 5501 valueFrom: 5502 fieldRef: 5503 fieldPath: metadata.namespace 5504 nodeSelector: 5505 kubernetes.io/os: linux 5506 --- 5507 # Source: cert-manager/templates/webhook-mutating-webhook.yaml 5508 apiVersion: admissionregistration.k8s.io/v1 5509 kind: MutatingWebhookConfiguration 5510 metadata: 5511 name: cert-manager-webhook 5512 labels: 5513 app: webhook 5514 app.kubernetes.io/name: webhook 5515 app.kubernetes.io/instance: cert-manager 5516 app.kubernetes.io/component: "webhook" 5517 app.kubernetes.io/version: "v1.12.3" 5518 annotations: 5519 cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca" 5520 webhooks: 5521 - name: webhook.cert-manager.io 5522 rules: 5523 - apiGroups: 5524 - "cert-manager.io" 5525 - "acme.cert-manager.io" 5526 apiVersions: 5527 - "v1" 5528 operations: 5529 - CREATE 5530 - UPDATE 5531 resources: 5532 - "*/*" 5533 admissionReviewVersions: ["v1"] 5534 # This webhook only accepts v1 cert-manager resources. 5535 # Equivalent matchPolicy ensures that non-v1 resource requests are sent to 5536 # this webhook (after the resources have been converted to v1). 5537 matchPolicy: Equivalent 5538 timeoutSeconds: 10 5539 failurePolicy: Fail 5540 # Only include 'sideEffects' field in Kubernetes 1.12+ 5541 sideEffects: None 5542 clientConfig: 5543 service: 5544 name: cert-manager-webhook 5545 namespace: cert-manager 5546 path: /mutate 5547 --- 5548 # Source: cert-manager/templates/webhook-validating-webhook.yaml 5549 apiVersion: admissionregistration.k8s.io/v1 5550 kind: ValidatingWebhookConfiguration 5551 metadata: 5552 name: cert-manager-webhook 5553 labels: 5554 app: webhook 5555 app.kubernetes.io/name: webhook 5556 app.kubernetes.io/instance: cert-manager 5557 app.kubernetes.io/component: "webhook" 5558 app.kubernetes.io/version: "v1.12.3" 5559 annotations: 5560 cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca" 5561 webhooks: 5562 - name: webhook.cert-manager.io 5563 namespaceSelector: 5564 matchExpressions: 5565 - key: "cert-manager.io/disable-validation" 5566 operator: "NotIn" 5567 values: 5568 - "true" 5569 - key: "name" 5570 operator: "NotIn" 5571 values: 5572 - cert-manager 5573 rules: 5574 - apiGroups: 5575 - "cert-manager.io" 5576 - "acme.cert-manager.io" 5577 apiVersions: 5578 - "v1" 5579 operations: 5580 - CREATE 5581 - UPDATE 5582 resources: 5583 - "*/*" 5584 admissionReviewVersions: ["v1"] 5585 # This webhook only accepts v1 cert-manager resources. 5586 # Equivalent matchPolicy ensures that non-v1 resource requests are sent to 5587 # this webhook (after the resources have been converted to v1). 5588 matchPolicy: Equivalent 5589 timeoutSeconds: 10 5590 failurePolicy: Fail 5591 sideEffects: None 5592 clientConfig: 5593 service: 5594 name: cert-manager-webhook 5595 namespace: cert-manager 5596 path: /validate