github.com/percona/percona-xtradb-cluster-operator@v1.14.0/pkg/controller/pxc/testdata/cert-manager.yaml (about) 1 # Copyright 2021 The cert-manager Authors. 2 # 3 # Licensed under the Apache License, Version 2.0 (the "License"); 4 # you may not use this file except in compliance with the License. 5 # You may obtain a copy of the License at 6 # 7 # http://www.apache.org/licenses/LICENSE-2.0 8 # 9 # Unless required by applicable law or agreed to in writing, software 10 # distributed under the License is distributed on an "AS IS" BASIS, 11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 # See the License for the specific language governing permissions and 13 # limitations under the License. 14 15 apiVersion: v1 16 kind: Namespace 17 metadata: 18 name: cert-manager 19 --- 20 # Source: cert-manager/templates/crd-templates.yaml 21 apiVersion: apiextensions.k8s.io/v1 22 kind: CustomResourceDefinition 23 metadata: 24 name: certificaterequests.cert-manager.io 25 labels: 26 app: 'cert-manager' 27 app.kubernetes.io/name: 'cert-manager' 28 app.kubernetes.io/instance: 'cert-manager' 29 # Generated labels 30 app.kubernetes.io/version: "v1.11.0" 31 spec: 32 group: cert-manager.io 33 names: 34 kind: CertificateRequest 35 listKind: CertificateRequestList 36 plural: certificaterequests 37 shortNames: 38 - cr 39 - crs 40 singular: certificaterequest 41 categories: 42 - cert-manager 43 scope: Namespaced 44 versions: 45 - name: v1 46 subresources: 47 status: {} 48 additionalPrinterColumns: 49 - jsonPath: .status.conditions[?(@.type=="Approved")].status 50 name: Approved 51 type: string 52 - jsonPath: .status.conditions[?(@.type=="Denied")].status 53 name: Denied 54 type: string 55 - jsonPath: .status.conditions[?(@.type=="Ready")].status 56 name: Ready 57 type: string 58 - jsonPath: .spec.issuerRef.name 59 name: Issuer 60 type: string 61 - jsonPath: .spec.username 62 name: Requestor 63 type: string 64 - jsonPath: .status.conditions[?(@.type=="Ready")].message 65 name: Status 66 priority: 1 67 type: string 68 - jsonPath: .metadata.creationTimestamp 69 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 70 name: Age 71 type: date 72 schema: 73 openAPIV3Schema: 74 description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used." 75 type: object 76 required: 77 - spec 78 properties: 79 apiVersion: 80 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 81 type: string 82 kind: 83 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 84 type: string 85 metadata: 86 type: object 87 spec: 88 description: Desired state of the CertificateRequest resource. 89 type: object 90 required: 91 - issuerRef 92 - request 93 properties: 94 duration: 95 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. 96 type: string 97 extra: 98 description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. 99 type: object 100 additionalProperties: 101 type: array 102 items: 103 type: string 104 groups: 105 description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. 106 type: array 107 items: 108 type: string 109 x-kubernetes-list-type: atomic 110 isCA: 111 description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`. 112 type: boolean 113 issuerRef: 114 description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty. 115 type: object 116 required: 117 - name 118 properties: 119 group: 120 description: Group of the resource being referred to. 121 type: string 122 kind: 123 description: Kind of the resource being referred to. 124 type: string 125 name: 126 description: Name of the resource being referred to. 127 type: string 128 request: 129 description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing. 130 type: string 131 format: byte 132 uid: 133 description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. 134 type: string 135 usages: 136 description: Usages is the set of x509 usages that are requested for the certificate. If usages are set they SHOULD be encoded inside the CSR spec Defaults to `digital signature` and `key encipherment` if not specified. 137 type: array 138 items: 139 description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"' 140 type: string 141 enum: 142 - signing 143 - digital signature 144 - content commitment 145 - key encipherment 146 - key agreement 147 - data encipherment 148 - cert sign 149 - crl sign 150 - encipher only 151 - decipher only 152 - any 153 - server auth 154 - client auth 155 - code signing 156 - email protection 157 - s/mime 158 - ipsec end system 159 - ipsec tunnel 160 - ipsec user 161 - timestamping 162 - ocsp signing 163 - microsoft sgc 164 - netscape sgc 165 username: 166 description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. 167 type: string 168 status: 169 description: Status of the CertificateRequest. This is set and managed automatically. 170 type: object 171 properties: 172 ca: 173 description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available. 174 type: string 175 format: byte 176 certificate: 177 description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field. 178 type: string 179 format: byte 180 conditions: 181 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`. 182 type: array 183 items: 184 description: CertificateRequestCondition contains condition information for a CertificateRequest. 185 type: object 186 required: 187 - status 188 - type 189 properties: 190 lastTransitionTime: 191 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. 192 type: string 193 format: date-time 194 message: 195 description: Message is a human readable description of the details of the last transition, complementing reason. 196 type: string 197 reason: 198 description: Reason is a brief machine readable explanation for the condition's last transition. 199 type: string 200 status: 201 description: Status of the condition, one of (`True`, `False`, `Unknown`). 202 type: string 203 enum: 204 - "True" 205 - "False" 206 - Unknown 207 type: 208 description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`). 209 type: string 210 x-kubernetes-list-map-keys: 211 - type 212 x-kubernetes-list-type: map 213 failureTime: 214 description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off. 215 type: string 216 format: date-time 217 served: true 218 storage: true 219 --- 220 # Source: cert-manager/templates/crd-templates.yaml 221 apiVersion: apiextensions.k8s.io/v1 222 kind: CustomResourceDefinition 223 metadata: 224 name: certificates.cert-manager.io 225 labels: 226 app: 'cert-manager' 227 app.kubernetes.io/name: 'cert-manager' 228 app.kubernetes.io/instance: 'cert-manager' 229 # Generated labels 230 app.kubernetes.io/version: "v1.11.0" 231 spec: 232 group: cert-manager.io 233 names: 234 kind: Certificate 235 listKind: CertificateList 236 plural: certificates 237 shortNames: 238 - cert 239 - certs 240 singular: certificate 241 categories: 242 - cert-manager 243 scope: Namespaced 244 versions: 245 - name: v1 246 subresources: 247 status: {} 248 additionalPrinterColumns: 249 - jsonPath: .status.conditions[?(@.type=="Ready")].status 250 name: Ready 251 type: string 252 - jsonPath: .spec.secretName 253 name: Secret 254 type: string 255 - jsonPath: .spec.issuerRef.name 256 name: Issuer 257 priority: 1 258 type: string 259 - jsonPath: .status.conditions[?(@.type=="Ready")].message 260 name: Status 261 priority: 1 262 type: string 263 - jsonPath: .metadata.creationTimestamp 264 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 265 name: Age 266 type: date 267 schema: 268 openAPIV3Schema: 269 description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)." 270 type: object 271 required: 272 - spec 273 properties: 274 apiVersion: 275 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 276 type: string 277 kind: 278 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 279 type: string 280 metadata: 281 type: object 282 spec: 283 description: Desired state of the Certificate resource. 284 type: object 285 required: 286 - issuerRef 287 - secretName 288 properties: 289 additionalOutputFormats: 290 description: AdditionalOutputFormats defines extra output formats of the private key and signed certificate chain to be written to this Certificate's target Secret. This is an Alpha Feature and is only enabled with the `--feature-gates=AdditionalCertificateOutputFormats=true` option on both the controller and webhook components. 291 type: array 292 items: 293 description: CertificateAdditionalOutputFormat defines an additional output format of a Certificate resource. These contain supplementary data formats of the signed certificate chain and paired private key. 294 type: object 295 required: 296 - type 297 properties: 298 type: 299 description: Type is the name of the format type that should be written to the Certificate's target Secret. 300 type: string 301 enum: 302 - DER 303 - CombinedPEM 304 commonName: 305 description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behavior: https://tools.ietf.org/html/rfc6125#section-6.4.4' 306 type: string 307 dnsNames: 308 description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate. 309 type: array 310 items: 311 type: string 312 duration: 313 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration 314 type: string 315 emailAddresses: 316 description: EmailAddresses is a list of email subjectAltNames to be set on the Certificate. 317 type: array 318 items: 319 type: string 320 encodeUsagesInRequest: 321 description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest 322 type: boolean 323 ipAddresses: 324 description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate. 325 type: array 326 items: 327 type: string 328 isCA: 329 description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`. 330 type: boolean 331 issuerRef: 332 description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. 333 type: object 334 required: 335 - name 336 properties: 337 group: 338 description: Group of the resource being referred to. 339 type: string 340 kind: 341 description: Kind of the resource being referred to. 342 type: string 343 name: 344 description: Name of the resource being referred to. 345 type: string 346 keystores: 347 description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource. 348 type: object 349 properties: 350 jks: 351 description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource. 352 type: object 353 required: 354 - create 355 - passwordSecretRef 356 properties: 357 create: 358 description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority 359 type: boolean 360 passwordSecretRef: 361 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore. 362 type: object 363 required: 364 - name 365 properties: 366 key: 367 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 368 type: string 369 name: 370 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 371 type: string 372 pkcs12: 373 description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource. 374 type: object 375 required: 376 - create 377 - passwordSecretRef 378 properties: 379 create: 380 description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority 381 type: boolean 382 passwordSecretRef: 383 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore. 384 type: object 385 required: 386 - name 387 properties: 388 key: 389 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 390 type: string 391 name: 392 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 393 type: string 394 privateKey: 395 description: Options to control private keys used for the Certificate. 396 type: object 397 properties: 398 algorithm: 399 description: Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified and `size` is not provided, key size of 256 will be used for `ECDSA` key algorithm and key size of 2048 will be used for `RSA` key algorithm. key size is ignored when using the `Ed25519` key algorithm. 400 type: string 401 enum: 402 - RSA 403 - ECDSA 404 - Ed25519 405 encoding: 406 description: The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified. 407 type: string 408 enum: 409 - PKCS1 410 - PKCS8 411 rotationPolicy: 412 description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility. 413 type: string 414 enum: 415 - Never 416 - Always 417 size: 418 description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed. 419 type: integer 420 renewBefore: 421 description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration 422 type: string 423 revisionHistoryLimit: 424 description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`. 425 type: integer 426 format: int32 427 secretName: 428 description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer. 429 type: string 430 secretTemplate: 431 description: SecretTemplate defines annotations and labels to be copied to the Certificate's Secret. Labels and annotations on the Secret will be changed as they appear on the SecretTemplate when added or removed. SecretTemplate annotations are added in conjunction with, and cannot overwrite, the base set of annotations cert-manager sets on the Certificate's Secret. 432 type: object 433 properties: 434 annotations: 435 description: Annotations is a key value map to be copied to the target Kubernetes Secret. 436 type: object 437 additionalProperties: 438 type: string 439 labels: 440 description: Labels is a key value map to be copied to the target Kubernetes Secret. 441 type: object 442 additionalProperties: 443 type: string 444 subject: 445 description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). 446 type: object 447 properties: 448 countries: 449 description: Countries to be used on the Certificate. 450 type: array 451 items: 452 type: string 453 localities: 454 description: Cities to be used on the Certificate. 455 type: array 456 items: 457 type: string 458 organizationalUnits: 459 description: Organizational Units to be used on the Certificate. 460 type: array 461 items: 462 type: string 463 organizations: 464 description: Organizations to be used on the Certificate. 465 type: array 466 items: 467 type: string 468 postalCodes: 469 description: Postal codes to be used on the Certificate. 470 type: array 471 items: 472 type: string 473 provinces: 474 description: State/Provinces to be used on the Certificate. 475 type: array 476 items: 477 type: string 478 serialNumber: 479 description: Serial number to be used on the Certificate. 480 type: string 481 streetAddresses: 482 description: Street addresses to be used on the Certificate. 483 type: array 484 items: 485 type: string 486 uris: 487 description: URIs is a list of URI subjectAltNames to be set on the Certificate. 488 type: array 489 items: 490 type: string 491 usages: 492 description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified. 493 type: array 494 items: 495 description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"' 496 type: string 497 enum: 498 - signing 499 - digital signature 500 - content commitment 501 - key encipherment 502 - key agreement 503 - data encipherment 504 - cert sign 505 - crl sign 506 - encipher only 507 - decipher only 508 - any 509 - server auth 510 - client auth 511 - code signing 512 - email protection 513 - s/mime 514 - ipsec end system 515 - ipsec tunnel 516 - ipsec user 517 - timestamping 518 - ocsp signing 519 - microsoft sgc 520 - netscape sgc 521 status: 522 description: Status of the Certificate. This is set and managed automatically. 523 type: object 524 properties: 525 conditions: 526 description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`. 527 type: array 528 items: 529 description: CertificateCondition contains condition information for an Certificate. 530 type: object 531 required: 532 - status 533 - type 534 properties: 535 lastTransitionTime: 536 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. 537 type: string 538 format: date-time 539 message: 540 description: Message is a human readable description of the details of the last transition, complementing reason. 541 type: string 542 observedGeneration: 543 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate. 544 type: integer 545 format: int64 546 reason: 547 description: Reason is a brief machine readable explanation for the condition's last transition. 548 type: string 549 status: 550 description: Status of the condition, one of (`True`, `False`, `Unknown`). 551 type: string 552 enum: 553 - "True" 554 - "False" 555 - Unknown 556 type: 557 description: Type of the condition, known values are (`Ready`, `Issuing`). 558 type: string 559 x-kubernetes-list-map-keys: 560 - type 561 x-kubernetes-list-type: map 562 failedIssuanceAttempts: 563 description: The number of continuous failed issuance attempts up till now. This field gets removed (if set) on a successful issuance and gets set to 1 if unset and an issuance has failed. If an issuance has failed, the delay till the next issuance will be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1). 564 type: integer 565 lastFailureTime: 566 description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time. 567 type: string 568 format: date-time 569 nextPrivateKeySecretName: 570 description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False. 571 type: string 572 notAfter: 573 description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`. 574 type: string 575 format: date-time 576 notBefore: 577 description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid. 578 type: string 579 format: date-time 580 renewalTime: 581 description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled. 582 type: string 583 format: date-time 584 revision: 585 description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field." 586 type: integer 587 served: true 588 storage: true 589 --- 590 # Source: cert-manager/templates/crd-templates.yaml 591 apiVersion: apiextensions.k8s.io/v1 592 kind: CustomResourceDefinition 593 metadata: 594 name: challenges.acme.cert-manager.io 595 labels: 596 app: 'cert-manager' 597 app.kubernetes.io/name: 'cert-manager' 598 app.kubernetes.io/instance: 'cert-manager' 599 # Generated labels 600 app.kubernetes.io/version: "v1.11.0" 601 spec: 602 group: acme.cert-manager.io 603 names: 604 kind: Challenge 605 listKind: ChallengeList 606 plural: challenges 607 singular: challenge 608 categories: 609 - cert-manager 610 - cert-manager-acme 611 scope: Namespaced 612 versions: 613 - additionalPrinterColumns: 614 - jsonPath: .status.state 615 name: State 616 type: string 617 - jsonPath: .spec.dnsName 618 name: Domain 619 type: string 620 - jsonPath: .status.reason 621 name: Reason 622 priority: 1 623 type: string 624 - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 625 jsonPath: .metadata.creationTimestamp 626 name: Age 627 type: date 628 name: v1 629 schema: 630 openAPIV3Schema: 631 description: Challenge is a type to represent a Challenge request with an ACME server 632 type: object 633 required: 634 - metadata 635 - spec 636 properties: 637 apiVersion: 638 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 639 type: string 640 kind: 641 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 642 type: string 643 metadata: 644 type: object 645 spec: 646 type: object 647 required: 648 - authorizationURL 649 - dnsName 650 - issuerRef 651 - key 652 - solver 653 - token 654 - type 655 - url 656 properties: 657 authorizationURL: 658 description: The URL to the ACME Authorization resource that this challenge is a part of. 659 type: string 660 dnsName: 661 description: dnsName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`. 662 type: string 663 issuerRef: 664 description: References a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed. 665 type: object 666 required: 667 - name 668 properties: 669 group: 670 description: Group of the resource being referred to. 671 type: string 672 kind: 673 description: Kind of the resource being referred to. 674 type: string 675 name: 676 description: Name of the resource being referred to. 677 type: string 678 key: 679 description: 'The ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key from acme server for challenge>`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key from acme server for challenge>` text that must be set as the TXT record content.' 680 type: string 681 solver: 682 description: Contains the domain solving configuration that should be used to solve this challenge resource. 683 type: object 684 properties: 685 dns01: 686 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. 687 type: object 688 properties: 689 acmeDNS: 690 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. 691 type: object 692 required: 693 - accountSecretRef 694 - host 695 properties: 696 accountSecretRef: 697 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 698 type: object 699 required: 700 - name 701 properties: 702 key: 703 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 704 type: string 705 name: 706 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 707 type: string 708 host: 709 type: string 710 akamai: 711 description: Use the Akamai DNS zone management API to manage DNS01 challenge records. 712 type: object 713 required: 714 - accessTokenSecretRef 715 - clientSecretSecretRef 716 - clientTokenSecretRef 717 - serviceConsumerDomain 718 properties: 719 accessTokenSecretRef: 720 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 721 type: object 722 required: 723 - name 724 properties: 725 key: 726 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 727 type: string 728 name: 729 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 730 type: string 731 clientSecretSecretRef: 732 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 733 type: object 734 required: 735 - name 736 properties: 737 key: 738 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 739 type: string 740 name: 741 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 742 type: string 743 clientTokenSecretRef: 744 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 745 type: object 746 required: 747 - name 748 properties: 749 key: 750 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 751 type: string 752 name: 753 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 754 type: string 755 serviceConsumerDomain: 756 type: string 757 azureDNS: 758 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. 759 type: object 760 required: 761 - resourceGroupName 762 - subscriptionID 763 properties: 764 clientID: 765 description: if both this and ClientSecret are left unset MSI will be used 766 type: string 767 clientSecretSecretRef: 768 description: if both this and ClientID are left unset MSI will be used 769 type: object 770 required: 771 - name 772 properties: 773 key: 774 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 775 type: string 776 name: 777 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 778 type: string 779 environment: 780 description: name of the Azure environment (default AzurePublicCloud) 781 type: string 782 enum: 783 - AzurePublicCloud 784 - AzureChinaCloud 785 - AzureGermanCloud 786 - AzureUSGovernmentCloud 787 hostedZoneName: 788 description: name of the DNS zone that should be used 789 type: string 790 managedIdentity: 791 description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID 792 type: object 793 properties: 794 clientID: 795 description: client ID of the managed identity, can not be used at the same time as resourceID 796 type: string 797 resourceID: 798 description: resource ID of the managed identity, can not be used at the same time as clientID 799 type: string 800 resourceGroupName: 801 description: resource group the DNS zone is located in 802 type: string 803 subscriptionID: 804 description: ID of the Azure subscription 805 type: string 806 tenantID: 807 description: when specifying ClientID and ClientSecret then this field is also needed 808 type: string 809 cloudDNS: 810 description: Use the Google Cloud DNS API to manage DNS01 challenge records. 811 type: object 812 required: 813 - project 814 properties: 815 hostedZoneName: 816 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. 817 type: string 818 project: 819 type: string 820 serviceAccountSecretRef: 821 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 822 type: object 823 required: 824 - name 825 properties: 826 key: 827 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 828 type: string 829 name: 830 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 831 type: string 832 cloudflare: 833 description: Use the Cloudflare API to manage DNS01 challenge records. 834 type: object 835 properties: 836 apiKeySecretRef: 837 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' 838 type: object 839 required: 840 - name 841 properties: 842 key: 843 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 844 type: string 845 name: 846 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 847 type: string 848 apiTokenSecretRef: 849 description: API token used to authenticate with Cloudflare. 850 type: object 851 required: 852 - name 853 properties: 854 key: 855 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 856 type: string 857 name: 858 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 859 type: string 860 email: 861 description: Email of the account, only required when using API key based authentication. 862 type: string 863 cnameStrategy: 864 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. 865 type: string 866 enum: 867 - None 868 - Follow 869 digitalocean: 870 description: Use the DigitalOcean DNS API to manage DNS01 challenge records. 871 type: object 872 required: 873 - tokenSecretRef 874 properties: 875 tokenSecretRef: 876 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 877 type: object 878 required: 879 - name 880 properties: 881 key: 882 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 883 type: string 884 name: 885 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 886 type: string 887 rfc2136: 888 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. 889 type: object 890 required: 891 - nameserver 892 properties: 893 nameserver: 894 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required. 895 type: string 896 tsigAlgorithm: 897 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' 898 type: string 899 tsigKeyName: 900 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. 901 type: string 902 tsigSecretSecretRef: 903 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. 904 type: object 905 required: 906 - name 907 properties: 908 key: 909 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 910 type: string 911 name: 912 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 913 type: string 914 route53: 915 description: Use the AWS Route53 API to manage DNS01 challenge records. 916 type: object 917 required: 918 - region 919 properties: 920 accessKeyID: 921 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' 922 type: string 923 hostedZoneID: 924 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. 925 type: string 926 region: 927 description: Always set the region when using AccessKeyID and SecretAccessKey 928 type: string 929 role: 930 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata 931 type: string 932 secretAccessKeySecretRef: 933 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials 934 type: object 935 required: 936 - name 937 properties: 938 key: 939 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 940 type: string 941 name: 942 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 943 type: string 944 webhook: 945 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. 946 type: object 947 required: 948 - groupName 949 - solverName 950 properties: 951 config: 952 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. 953 x-kubernetes-preserve-unknown-fields: true 954 groupName: 955 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. 956 type: string 957 solverName: 958 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. 959 type: string 960 http01: 961 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. 962 type: object 963 properties: 964 gatewayHTTPRoute: 965 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behavior may change in the future. 966 type: object 967 properties: 968 labels: 969 description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges. 970 type: object 971 additionalProperties: 972 type: string 973 parentRefs: 974 description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways' 975 type: array 976 items: 977 description: "ParentRef identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object." 978 type: object 979 required: 980 - name 981 properties: 982 group: 983 description: "Group is the group of the referent. \n Support: Core" 984 type: string 985 default: gateway.networking.k8s.io 986 maxLength: 253 987 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 988 kind: 989 description: "Kind is kind of the referent. \n Support: Core (Gateway) Support: Custom (Other Resources)" 990 type: string 991 default: Gateway 992 maxLength: 63 993 minLength: 1 994 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 995 name: 996 description: "Name is the name of the referent. \n Support: Core" 997 type: string 998 maxLength: 253 999 minLength: 1 1000 namespace: 1001 description: "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core" 1002 type: string 1003 maxLength: 63 1004 minLength: 1 1005 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 1006 sectionName: 1007 description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" 1008 type: string 1009 maxLength: 253 1010 minLength: 1 1011 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 1012 serviceType: 1013 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. 1014 type: string 1015 ingress: 1016 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. 1017 type: object 1018 properties: 1019 class: 1020 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified. 1021 type: string 1022 ingressTemplate: 1023 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. 1024 type: object 1025 properties: 1026 metadata: 1027 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. 1028 type: object 1029 properties: 1030 annotations: 1031 description: Annotations that should be added to the created ACME HTTP01 solver ingress. 1032 type: object 1033 additionalProperties: 1034 type: string 1035 labels: 1036 description: Labels that should be added to the created ACME HTTP01 solver ingress. 1037 type: object 1038 additionalProperties: 1039 type: string 1040 name: 1041 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. 1042 type: string 1043 podTemplate: 1044 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. 1045 type: object 1046 properties: 1047 metadata: 1048 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. 1049 type: object 1050 properties: 1051 annotations: 1052 description: Annotations that should be added to the create ACME HTTP01 solver pods. 1053 type: object 1054 additionalProperties: 1055 type: string 1056 labels: 1057 description: Labels that should be added to the created ACME HTTP01 solver pods. 1058 type: object 1059 additionalProperties: 1060 type: string 1061 spec: 1062 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored. 1063 type: object 1064 properties: 1065 affinity: 1066 description: If specified, the pod's scheduling constraints 1067 type: object 1068 properties: 1069 nodeAffinity: 1070 description: Describes node affinity scheduling rules for the pod. 1071 type: object 1072 properties: 1073 preferredDuringSchedulingIgnoredDuringExecution: 1074 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. 1075 type: array 1076 items: 1077 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). 1078 type: object 1079 required: 1080 - preference 1081 - weight 1082 properties: 1083 preference: 1084 description: A node selector term, associated with the corresponding weight. 1085 type: object 1086 properties: 1087 matchExpressions: 1088 description: A list of node selector requirements by node's labels. 1089 type: array 1090 items: 1091 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1092 type: object 1093 required: 1094 - key 1095 - operator 1096 properties: 1097 key: 1098 description: The label key that the selector applies to. 1099 type: string 1100 operator: 1101 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 1102 type: string 1103 values: 1104 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 1105 type: array 1106 items: 1107 type: string 1108 matchFields: 1109 description: A list of node selector requirements by node's fields. 1110 type: array 1111 items: 1112 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1113 type: object 1114 required: 1115 - key 1116 - operator 1117 properties: 1118 key: 1119 description: The label key that the selector applies to. 1120 type: string 1121 operator: 1122 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 1123 type: string 1124 values: 1125 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 1126 type: array 1127 items: 1128 type: string 1129 weight: 1130 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. 1131 type: integer 1132 format: int32 1133 requiredDuringSchedulingIgnoredDuringExecution: 1134 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. 1135 type: object 1136 required: 1137 - nodeSelectorTerms 1138 properties: 1139 nodeSelectorTerms: 1140 description: Required. A list of node selector terms. The terms are ORed. 1141 type: array 1142 items: 1143 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. 1144 type: object 1145 properties: 1146 matchExpressions: 1147 description: A list of node selector requirements by node's labels. 1148 type: array 1149 items: 1150 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1151 type: object 1152 required: 1153 - key 1154 - operator 1155 properties: 1156 key: 1157 description: The label key that the selector applies to. 1158 type: string 1159 operator: 1160 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 1161 type: string 1162 values: 1163 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 1164 type: array 1165 items: 1166 type: string 1167 matchFields: 1168 description: A list of node selector requirements by node's fields. 1169 type: array 1170 items: 1171 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1172 type: object 1173 required: 1174 - key 1175 - operator 1176 properties: 1177 key: 1178 description: The label key that the selector applies to. 1179 type: string 1180 operator: 1181 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 1182 type: string 1183 values: 1184 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 1185 type: array 1186 items: 1187 type: string 1188 podAffinity: 1189 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). 1190 type: object 1191 properties: 1192 preferredDuringSchedulingIgnoredDuringExecution: 1193 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. 1194 type: array 1195 items: 1196 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 1197 type: object 1198 required: 1199 - podAffinityTerm 1200 - weight 1201 properties: 1202 podAffinityTerm: 1203 description: Required. A pod affinity term, associated with the corresponding weight. 1204 type: object 1205 required: 1206 - topologyKey 1207 properties: 1208 labelSelector: 1209 description: A label query over a set of resources, in this case pods. 1210 type: object 1211 properties: 1212 matchExpressions: 1213 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 1214 type: array 1215 items: 1216 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1217 type: object 1218 required: 1219 - key 1220 - operator 1221 properties: 1222 key: 1223 description: key is the label key that the selector applies to. 1224 type: string 1225 operator: 1226 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 1227 type: string 1228 values: 1229 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 1230 type: array 1231 items: 1232 type: string 1233 matchLabels: 1234 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 1235 type: object 1236 additionalProperties: 1237 type: string 1238 namespaceSelector: 1239 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. 1240 type: object 1241 properties: 1242 matchExpressions: 1243 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 1244 type: array 1245 items: 1246 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1247 type: object 1248 required: 1249 - key 1250 - operator 1251 properties: 1252 key: 1253 description: key is the label key that the selector applies to. 1254 type: string 1255 operator: 1256 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 1257 type: string 1258 values: 1259 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 1260 type: array 1261 items: 1262 type: string 1263 matchLabels: 1264 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 1265 type: object 1266 additionalProperties: 1267 type: string 1268 namespaces: 1269 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" 1270 type: array 1271 items: 1272 type: string 1273 topologyKey: 1274 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 1275 type: string 1276 weight: 1277 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. 1278 type: integer 1279 format: int32 1280 requiredDuringSchedulingIgnoredDuringExecution: 1281 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. 1282 type: array 1283 items: 1284 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running 1285 type: object 1286 required: 1287 - topologyKey 1288 properties: 1289 labelSelector: 1290 description: A label query over a set of resources, in this case pods. 1291 type: object 1292 properties: 1293 matchExpressions: 1294 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 1295 type: array 1296 items: 1297 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1298 type: object 1299 required: 1300 - key 1301 - operator 1302 properties: 1303 key: 1304 description: key is the label key that the selector applies to. 1305 type: string 1306 operator: 1307 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 1308 type: string 1309 values: 1310 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 1311 type: array 1312 items: 1313 type: string 1314 matchLabels: 1315 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 1316 type: object 1317 additionalProperties: 1318 type: string 1319 namespaceSelector: 1320 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. 1321 type: object 1322 properties: 1323 matchExpressions: 1324 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 1325 type: array 1326 items: 1327 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1328 type: object 1329 required: 1330 - key 1331 - operator 1332 properties: 1333 key: 1334 description: key is the label key that the selector applies to. 1335 type: string 1336 operator: 1337 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 1338 type: string 1339 values: 1340 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 1341 type: array 1342 items: 1343 type: string 1344 matchLabels: 1345 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 1346 type: object 1347 additionalProperties: 1348 type: string 1349 namespaces: 1350 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" 1351 type: array 1352 items: 1353 type: string 1354 topologyKey: 1355 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 1356 type: string 1357 podAntiAffinity: 1358 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). 1359 type: object 1360 properties: 1361 preferredDuringSchedulingIgnoredDuringExecution: 1362 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. 1363 type: array 1364 items: 1365 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 1366 type: object 1367 required: 1368 - podAffinityTerm 1369 - weight 1370 properties: 1371 podAffinityTerm: 1372 description: Required. A pod affinity term, associated with the corresponding weight. 1373 type: object 1374 required: 1375 - topologyKey 1376 properties: 1377 labelSelector: 1378 description: A label query over a set of resources, in this case pods. 1379 type: object 1380 properties: 1381 matchExpressions: 1382 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 1383 type: array 1384 items: 1385 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1386 type: object 1387 required: 1388 - key 1389 - operator 1390 properties: 1391 key: 1392 description: key is the label key that the selector applies to. 1393 type: string 1394 operator: 1395 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 1396 type: string 1397 values: 1398 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 1399 type: array 1400 items: 1401 type: string 1402 matchLabels: 1403 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 1404 type: object 1405 additionalProperties: 1406 type: string 1407 namespaceSelector: 1408 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. 1409 type: object 1410 properties: 1411 matchExpressions: 1412 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 1413 type: array 1414 items: 1415 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1416 type: object 1417 required: 1418 - key 1419 - operator 1420 properties: 1421 key: 1422 description: key is the label key that the selector applies to. 1423 type: string 1424 operator: 1425 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 1426 type: string 1427 values: 1428 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 1429 type: array 1430 items: 1431 type: string 1432 matchLabels: 1433 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 1434 type: object 1435 additionalProperties: 1436 type: string 1437 namespaces: 1438 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" 1439 type: array 1440 items: 1441 type: string 1442 topologyKey: 1443 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 1444 type: string 1445 weight: 1446 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. 1447 type: integer 1448 format: int32 1449 requiredDuringSchedulingIgnoredDuringExecution: 1450 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. 1451 type: array 1452 items: 1453 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running 1454 type: object 1455 required: 1456 - topologyKey 1457 properties: 1458 labelSelector: 1459 description: A label query over a set of resources, in this case pods. 1460 type: object 1461 properties: 1462 matchExpressions: 1463 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 1464 type: array 1465 items: 1466 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1467 type: object 1468 required: 1469 - key 1470 - operator 1471 properties: 1472 key: 1473 description: key is the label key that the selector applies to. 1474 type: string 1475 operator: 1476 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 1477 type: string 1478 values: 1479 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 1480 type: array 1481 items: 1482 type: string 1483 matchLabels: 1484 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 1485 type: object 1486 additionalProperties: 1487 type: string 1488 namespaceSelector: 1489 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. 1490 type: object 1491 properties: 1492 matchExpressions: 1493 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 1494 type: array 1495 items: 1496 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1497 type: object 1498 required: 1499 - key 1500 - operator 1501 properties: 1502 key: 1503 description: key is the label key that the selector applies to. 1504 type: string 1505 operator: 1506 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 1507 type: string 1508 values: 1509 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 1510 type: array 1511 items: 1512 type: string 1513 matchLabels: 1514 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 1515 type: object 1516 additionalProperties: 1517 type: string 1518 namespaces: 1519 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" 1520 type: array 1521 items: 1522 type: string 1523 topologyKey: 1524 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 1525 type: string 1526 nodeSelector: 1527 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' 1528 type: object 1529 additionalProperties: 1530 type: string 1531 priorityClassName: 1532 description: If specified, the pod's priorityClassName. 1533 type: string 1534 serviceAccountName: 1535 description: If specified, the pod's service account 1536 type: string 1537 tolerations: 1538 description: If specified, the pod's tolerations. 1539 type: array 1540 items: 1541 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>. 1542 type: object 1543 properties: 1544 effect: 1545 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. 1546 type: string 1547 key: 1548 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. 1549 type: string 1550 operator: 1551 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. 1552 type: string 1553 tolerationSeconds: 1554 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. 1555 type: integer 1556 format: int64 1557 value: 1558 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. 1559 type: string 1560 serviceType: 1561 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. 1562 type: string 1563 selector: 1564 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. 1565 type: object 1566 properties: 1567 dnsNames: 1568 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. 1569 type: array 1570 items: 1571 type: string 1572 dnsZones: 1573 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. 1574 type: array 1575 items: 1576 type: string 1577 matchLabels: 1578 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. 1579 type: object 1580 additionalProperties: 1581 type: string 1582 token: 1583 description: The ACME challenge token for this challenge. This is the raw value returned from the ACME server. 1584 type: string 1585 type: 1586 description: The type of ACME challenge this resource represents. One of "HTTP-01" or "DNS-01". 1587 type: string 1588 enum: 1589 - HTTP-01 1590 - DNS-01 1591 url: 1592 description: The URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge. 1593 type: string 1594 wildcard: 1595 description: wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'. 1596 type: boolean 1597 status: 1598 type: object 1599 properties: 1600 presented: 1601 description: presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured). 1602 type: boolean 1603 processing: 1604 description: Used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action. 1605 type: boolean 1606 reason: 1607 description: Contains human readable information on why the Challenge is in the current state. 1608 type: string 1609 state: 1610 description: Contains the current 'state' of the challenge. If not set, the state of the challenge is unknown. 1611 type: string 1612 enum: 1613 - valid 1614 - ready 1615 - pending 1616 - processing 1617 - invalid 1618 - expired 1619 - errored 1620 served: true 1621 storage: true 1622 subresources: 1623 status: {} 1624 --- 1625 # Source: cert-manager/templates/crd-templates.yaml 1626 apiVersion: apiextensions.k8s.io/v1 1627 kind: CustomResourceDefinition 1628 metadata: 1629 name: clusterissuers.cert-manager.io 1630 labels: 1631 app: 'cert-manager' 1632 app.kubernetes.io/name: 'cert-manager' 1633 app.kubernetes.io/instance: 'cert-manager' 1634 # Generated labels 1635 app.kubernetes.io/version: "v1.11.0" 1636 spec: 1637 group: cert-manager.io 1638 names: 1639 kind: ClusterIssuer 1640 listKind: ClusterIssuerList 1641 plural: clusterissuers 1642 singular: clusterissuer 1643 categories: 1644 - cert-manager 1645 scope: Cluster 1646 versions: 1647 - name: v1 1648 subresources: 1649 status: {} 1650 additionalPrinterColumns: 1651 - jsonPath: .status.conditions[?(@.type=="Ready")].status 1652 name: Ready 1653 type: string 1654 - jsonPath: .status.conditions[?(@.type=="Ready")].message 1655 name: Status 1656 priority: 1 1657 type: string 1658 - jsonPath: .metadata.creationTimestamp 1659 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 1660 name: Age 1661 type: date 1662 schema: 1663 openAPIV3Schema: 1664 description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent. 1665 type: object 1666 required: 1667 - spec 1668 properties: 1669 apiVersion: 1670 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 1671 type: string 1672 kind: 1673 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 1674 type: string 1675 metadata: 1676 type: object 1677 spec: 1678 description: Desired state of the ClusterIssuer resource. 1679 type: object 1680 properties: 1681 acme: 1682 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates. 1683 type: object 1684 required: 1685 - privateKeySecretRef 1686 - server 1687 properties: 1688 disableAccountKeyGeneration: 1689 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false. 1690 type: boolean 1691 email: 1692 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. 1693 type: string 1694 enableDurationFeature: 1695 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. 1696 type: boolean 1697 externalAccountBinding: 1698 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. 1699 type: object 1700 required: 1701 - keyID 1702 - keySecretRef 1703 properties: 1704 keyAlgorithm: 1705 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.' 1706 type: string 1707 enum: 1708 - HS256 1709 - HS384 1710 - HS512 1711 keyID: 1712 description: keyID is the ID of the CA key that the External Account is bound to. 1713 type: string 1714 keySecretRef: 1715 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data. 1716 type: object 1717 required: 1718 - name 1719 properties: 1720 key: 1721 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1722 type: string 1723 name: 1724 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1725 type: string 1726 preferredChain: 1727 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN' 1728 type: string 1729 maxLength: 64 1730 privateKeySecretRef: 1731 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used. 1732 type: object 1733 required: 1734 - name 1735 properties: 1736 key: 1737 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1738 type: string 1739 name: 1740 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1741 type: string 1742 server: 1743 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' 1744 type: string 1745 skipTLSVerify: 1746 description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false. 1747 type: boolean 1748 solvers: 1749 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' 1750 type: array 1751 items: 1752 description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided. 1753 type: object 1754 properties: 1755 dns01: 1756 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. 1757 type: object 1758 properties: 1759 acmeDNS: 1760 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. 1761 type: object 1762 required: 1763 - accountSecretRef 1764 - host 1765 properties: 1766 accountSecretRef: 1767 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 1768 type: object 1769 required: 1770 - name 1771 properties: 1772 key: 1773 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1774 type: string 1775 name: 1776 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1777 type: string 1778 host: 1779 type: string 1780 akamai: 1781 description: Use the Akamai DNS zone management API to manage DNS01 challenge records. 1782 type: object 1783 required: 1784 - accessTokenSecretRef 1785 - clientSecretSecretRef 1786 - clientTokenSecretRef 1787 - serviceConsumerDomain 1788 properties: 1789 accessTokenSecretRef: 1790 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 1791 type: object 1792 required: 1793 - name 1794 properties: 1795 key: 1796 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1797 type: string 1798 name: 1799 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1800 type: string 1801 clientSecretSecretRef: 1802 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 1803 type: object 1804 required: 1805 - name 1806 properties: 1807 key: 1808 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1809 type: string 1810 name: 1811 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1812 type: string 1813 clientTokenSecretRef: 1814 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 1815 type: object 1816 required: 1817 - name 1818 properties: 1819 key: 1820 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1821 type: string 1822 name: 1823 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1824 type: string 1825 serviceConsumerDomain: 1826 type: string 1827 azureDNS: 1828 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. 1829 type: object 1830 required: 1831 - resourceGroupName 1832 - subscriptionID 1833 properties: 1834 clientID: 1835 description: if both this and ClientSecret are left unset MSI will be used 1836 type: string 1837 clientSecretSecretRef: 1838 description: if both this and ClientID are left unset MSI will be used 1839 type: object 1840 required: 1841 - name 1842 properties: 1843 key: 1844 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1845 type: string 1846 name: 1847 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1848 type: string 1849 environment: 1850 description: name of the Azure environment (default AzurePublicCloud) 1851 type: string 1852 enum: 1853 - AzurePublicCloud 1854 - AzureChinaCloud 1855 - AzureGermanCloud 1856 - AzureUSGovernmentCloud 1857 hostedZoneName: 1858 description: name of the DNS zone that should be used 1859 type: string 1860 managedIdentity: 1861 description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID 1862 type: object 1863 properties: 1864 clientID: 1865 description: client ID of the managed identity, can not be used at the same time as resourceID 1866 type: string 1867 resourceID: 1868 description: resource ID of the managed identity, can not be used at the same time as clientID 1869 type: string 1870 resourceGroupName: 1871 description: resource group the DNS zone is located in 1872 type: string 1873 subscriptionID: 1874 description: ID of the Azure subscription 1875 type: string 1876 tenantID: 1877 description: when specifying ClientID and ClientSecret then this field is also needed 1878 type: string 1879 cloudDNS: 1880 description: Use the Google Cloud DNS API to manage DNS01 challenge records. 1881 type: object 1882 required: 1883 - project 1884 properties: 1885 hostedZoneName: 1886 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. 1887 type: string 1888 project: 1889 type: string 1890 serviceAccountSecretRef: 1891 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 1892 type: object 1893 required: 1894 - name 1895 properties: 1896 key: 1897 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1898 type: string 1899 name: 1900 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1901 type: string 1902 cloudflare: 1903 description: Use the Cloudflare API to manage DNS01 challenge records. 1904 type: object 1905 properties: 1906 apiKeySecretRef: 1907 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' 1908 type: object 1909 required: 1910 - name 1911 properties: 1912 key: 1913 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1914 type: string 1915 name: 1916 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1917 type: string 1918 apiTokenSecretRef: 1919 description: API token used to authenticate with Cloudflare. 1920 type: object 1921 required: 1922 - name 1923 properties: 1924 key: 1925 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1926 type: string 1927 name: 1928 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1929 type: string 1930 email: 1931 description: Email of the account, only required when using API key based authentication. 1932 type: string 1933 cnameStrategy: 1934 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. 1935 type: string 1936 enum: 1937 - None 1938 - Follow 1939 digitalocean: 1940 description: Use the DigitalOcean DNS API to manage DNS01 challenge records. 1941 type: object 1942 required: 1943 - tokenSecretRef 1944 properties: 1945 tokenSecretRef: 1946 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 1947 type: object 1948 required: 1949 - name 1950 properties: 1951 key: 1952 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1953 type: string 1954 name: 1955 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1956 type: string 1957 rfc2136: 1958 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. 1959 type: object 1960 required: 1961 - nameserver 1962 properties: 1963 nameserver: 1964 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required. 1965 type: string 1966 tsigAlgorithm: 1967 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' 1968 type: string 1969 tsigKeyName: 1970 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. 1971 type: string 1972 tsigSecretSecretRef: 1973 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. 1974 type: object 1975 required: 1976 - name 1977 properties: 1978 key: 1979 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1980 type: string 1981 name: 1982 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1983 type: string 1984 route53: 1985 description: Use the AWS Route53 API to manage DNS01 challenge records. 1986 type: object 1987 required: 1988 - region 1989 properties: 1990 accessKeyID: 1991 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' 1992 type: string 1993 hostedZoneID: 1994 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. 1995 type: string 1996 region: 1997 description: Always set the region when using AccessKeyID and SecretAccessKey 1998 type: string 1999 role: 2000 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata 2001 type: string 2002 secretAccessKeySecretRef: 2003 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials 2004 type: object 2005 required: 2006 - name 2007 properties: 2008 key: 2009 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 2010 type: string 2011 name: 2012 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 2013 type: string 2014 webhook: 2015 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. 2016 type: object 2017 required: 2018 - groupName 2019 - solverName 2020 properties: 2021 config: 2022 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. 2023 x-kubernetes-preserve-unknown-fields: true 2024 groupName: 2025 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. 2026 type: string 2027 solverName: 2028 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. 2029 type: string 2030 http01: 2031 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. 2032 type: object 2033 properties: 2034 gatewayHTTPRoute: 2035 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behavior may change in the future. 2036 type: object 2037 properties: 2038 labels: 2039 description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges. 2040 type: object 2041 additionalProperties: 2042 type: string 2043 parentRefs: 2044 description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways' 2045 type: array 2046 items: 2047 description: "ParentRef identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object." 2048 type: object 2049 required: 2050 - name 2051 properties: 2052 group: 2053 description: "Group is the group of the referent. \n Support: Core" 2054 type: string 2055 default: gateway.networking.k8s.io 2056 maxLength: 253 2057 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 2058 kind: 2059 description: "Kind is kind of the referent. \n Support: Core (Gateway) Support: Custom (Other Resources)" 2060 type: string 2061 default: Gateway 2062 maxLength: 63 2063 minLength: 1 2064 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 2065 name: 2066 description: "Name is the name of the referent. \n Support: Core" 2067 type: string 2068 maxLength: 253 2069 minLength: 1 2070 namespace: 2071 description: "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core" 2072 type: string 2073 maxLength: 63 2074 minLength: 1 2075 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 2076 sectionName: 2077 description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" 2078 type: string 2079 maxLength: 253 2080 minLength: 1 2081 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 2082 serviceType: 2083 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. 2084 type: string 2085 ingress: 2086 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. 2087 type: object 2088 properties: 2089 class: 2090 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified. 2091 type: string 2092 ingressTemplate: 2093 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. 2094 type: object 2095 properties: 2096 metadata: 2097 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. 2098 type: object 2099 properties: 2100 annotations: 2101 description: Annotations that should be added to the created ACME HTTP01 solver ingress. 2102 type: object 2103 additionalProperties: 2104 type: string 2105 labels: 2106 description: Labels that should be added to the created ACME HTTP01 solver ingress. 2107 type: object 2108 additionalProperties: 2109 type: string 2110 name: 2111 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. 2112 type: string 2113 podTemplate: 2114 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. 2115 type: object 2116 properties: 2117 metadata: 2118 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. 2119 type: object 2120 properties: 2121 annotations: 2122 description: Annotations that should be added to the create ACME HTTP01 solver pods. 2123 type: object 2124 additionalProperties: 2125 type: string 2126 labels: 2127 description: Labels that should be added to the created ACME HTTP01 solver pods. 2128 type: object 2129 additionalProperties: 2130 type: string 2131 spec: 2132 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored. 2133 type: object 2134 properties: 2135 affinity: 2136 description: If specified, the pod's scheduling constraints 2137 type: object 2138 properties: 2139 nodeAffinity: 2140 description: Describes node affinity scheduling rules for the pod. 2141 type: object 2142 properties: 2143 preferredDuringSchedulingIgnoredDuringExecution: 2144 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. 2145 type: array 2146 items: 2147 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). 2148 type: object 2149 required: 2150 - preference 2151 - weight 2152 properties: 2153 preference: 2154 description: A node selector term, associated with the corresponding weight. 2155 type: object 2156 properties: 2157 matchExpressions: 2158 description: A list of node selector requirements by node's labels. 2159 type: array 2160 items: 2161 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2162 type: object 2163 required: 2164 - key 2165 - operator 2166 properties: 2167 key: 2168 description: The label key that the selector applies to. 2169 type: string 2170 operator: 2171 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 2172 type: string 2173 values: 2174 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 2175 type: array 2176 items: 2177 type: string 2178 matchFields: 2179 description: A list of node selector requirements by node's fields. 2180 type: array 2181 items: 2182 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2183 type: object 2184 required: 2185 - key 2186 - operator 2187 properties: 2188 key: 2189 description: The label key that the selector applies to. 2190 type: string 2191 operator: 2192 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 2193 type: string 2194 values: 2195 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 2196 type: array 2197 items: 2198 type: string 2199 weight: 2200 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. 2201 type: integer 2202 format: int32 2203 requiredDuringSchedulingIgnoredDuringExecution: 2204 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. 2205 type: object 2206 required: 2207 - nodeSelectorTerms 2208 properties: 2209 nodeSelectorTerms: 2210 description: Required. A list of node selector terms. The terms are ORed. 2211 type: array 2212 items: 2213 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. 2214 type: object 2215 properties: 2216 matchExpressions: 2217 description: A list of node selector requirements by node's labels. 2218 type: array 2219 items: 2220 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2221 type: object 2222 required: 2223 - key 2224 - operator 2225 properties: 2226 key: 2227 description: The label key that the selector applies to. 2228 type: string 2229 operator: 2230 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 2231 type: string 2232 values: 2233 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 2234 type: array 2235 items: 2236 type: string 2237 matchFields: 2238 description: A list of node selector requirements by node's fields. 2239 type: array 2240 items: 2241 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2242 type: object 2243 required: 2244 - key 2245 - operator 2246 properties: 2247 key: 2248 description: The label key that the selector applies to. 2249 type: string 2250 operator: 2251 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 2252 type: string 2253 values: 2254 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 2255 type: array 2256 items: 2257 type: string 2258 podAffinity: 2259 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). 2260 type: object 2261 properties: 2262 preferredDuringSchedulingIgnoredDuringExecution: 2263 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. 2264 type: array 2265 items: 2266 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 2267 type: object 2268 required: 2269 - podAffinityTerm 2270 - weight 2271 properties: 2272 podAffinityTerm: 2273 description: Required. A pod affinity term, associated with the corresponding weight. 2274 type: object 2275 required: 2276 - topologyKey 2277 properties: 2278 labelSelector: 2279 description: A label query over a set of resources, in this case pods. 2280 type: object 2281 properties: 2282 matchExpressions: 2283 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2284 type: array 2285 items: 2286 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2287 type: object 2288 required: 2289 - key 2290 - operator 2291 properties: 2292 key: 2293 description: key is the label key that the selector applies to. 2294 type: string 2295 operator: 2296 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 2297 type: string 2298 values: 2299 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 2300 type: array 2301 items: 2302 type: string 2303 matchLabels: 2304 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 2305 type: object 2306 additionalProperties: 2307 type: string 2308 namespaceSelector: 2309 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. 2310 type: object 2311 properties: 2312 matchExpressions: 2313 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2314 type: array 2315 items: 2316 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2317 type: object 2318 required: 2319 - key 2320 - operator 2321 properties: 2322 key: 2323 description: key is the label key that the selector applies to. 2324 type: string 2325 operator: 2326 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 2327 type: string 2328 values: 2329 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 2330 type: array 2331 items: 2332 type: string 2333 matchLabels: 2334 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 2335 type: object 2336 additionalProperties: 2337 type: string 2338 namespaces: 2339 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" 2340 type: array 2341 items: 2342 type: string 2343 topologyKey: 2344 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 2345 type: string 2346 weight: 2347 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. 2348 type: integer 2349 format: int32 2350 requiredDuringSchedulingIgnoredDuringExecution: 2351 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. 2352 type: array 2353 items: 2354 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running 2355 type: object 2356 required: 2357 - topologyKey 2358 properties: 2359 labelSelector: 2360 description: A label query over a set of resources, in this case pods. 2361 type: object 2362 properties: 2363 matchExpressions: 2364 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2365 type: array 2366 items: 2367 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2368 type: object 2369 required: 2370 - key 2371 - operator 2372 properties: 2373 key: 2374 description: key is the label key that the selector applies to. 2375 type: string 2376 operator: 2377 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 2378 type: string 2379 values: 2380 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 2381 type: array 2382 items: 2383 type: string 2384 matchLabels: 2385 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 2386 type: object 2387 additionalProperties: 2388 type: string 2389 namespaceSelector: 2390 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. 2391 type: object 2392 properties: 2393 matchExpressions: 2394 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2395 type: array 2396 items: 2397 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2398 type: object 2399 required: 2400 - key 2401 - operator 2402 properties: 2403 key: 2404 description: key is the label key that the selector applies to. 2405 type: string 2406 operator: 2407 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 2408 type: string 2409 values: 2410 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 2411 type: array 2412 items: 2413 type: string 2414 matchLabels: 2415 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 2416 type: object 2417 additionalProperties: 2418 type: string 2419 namespaces: 2420 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" 2421 type: array 2422 items: 2423 type: string 2424 topologyKey: 2425 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 2426 type: string 2427 podAntiAffinity: 2428 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). 2429 type: object 2430 properties: 2431 preferredDuringSchedulingIgnoredDuringExecution: 2432 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. 2433 type: array 2434 items: 2435 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 2436 type: object 2437 required: 2438 - podAffinityTerm 2439 - weight 2440 properties: 2441 podAffinityTerm: 2442 description: Required. A pod affinity term, associated with the corresponding weight. 2443 type: object 2444 required: 2445 - topologyKey 2446 properties: 2447 labelSelector: 2448 description: A label query over a set of resources, in this case pods. 2449 type: object 2450 properties: 2451 matchExpressions: 2452 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2453 type: array 2454 items: 2455 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2456 type: object 2457 required: 2458 - key 2459 - operator 2460 properties: 2461 key: 2462 description: key is the label key that the selector applies to. 2463 type: string 2464 operator: 2465 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 2466 type: string 2467 values: 2468 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 2469 type: array 2470 items: 2471 type: string 2472 matchLabels: 2473 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 2474 type: object 2475 additionalProperties: 2476 type: string 2477 namespaceSelector: 2478 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. 2479 type: object 2480 properties: 2481 matchExpressions: 2482 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2483 type: array 2484 items: 2485 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2486 type: object 2487 required: 2488 - key 2489 - operator 2490 properties: 2491 key: 2492 description: key is the label key that the selector applies to. 2493 type: string 2494 operator: 2495 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 2496 type: string 2497 values: 2498 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 2499 type: array 2500 items: 2501 type: string 2502 matchLabels: 2503 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 2504 type: object 2505 additionalProperties: 2506 type: string 2507 namespaces: 2508 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" 2509 type: array 2510 items: 2511 type: string 2512 topologyKey: 2513 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 2514 type: string 2515 weight: 2516 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. 2517 type: integer 2518 format: int32 2519 requiredDuringSchedulingIgnoredDuringExecution: 2520 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. 2521 type: array 2522 items: 2523 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running 2524 type: object 2525 required: 2526 - topologyKey 2527 properties: 2528 labelSelector: 2529 description: A label query over a set of resources, in this case pods. 2530 type: object 2531 properties: 2532 matchExpressions: 2533 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2534 type: array 2535 items: 2536 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2537 type: object 2538 required: 2539 - key 2540 - operator 2541 properties: 2542 key: 2543 description: key is the label key that the selector applies to. 2544 type: string 2545 operator: 2546 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 2547 type: string 2548 values: 2549 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 2550 type: array 2551 items: 2552 type: string 2553 matchLabels: 2554 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 2555 type: object 2556 additionalProperties: 2557 type: string 2558 namespaceSelector: 2559 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. 2560 type: object 2561 properties: 2562 matchExpressions: 2563 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2564 type: array 2565 items: 2566 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2567 type: object 2568 required: 2569 - key 2570 - operator 2571 properties: 2572 key: 2573 description: key is the label key that the selector applies to. 2574 type: string 2575 operator: 2576 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 2577 type: string 2578 values: 2579 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 2580 type: array 2581 items: 2582 type: string 2583 matchLabels: 2584 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 2585 type: object 2586 additionalProperties: 2587 type: string 2588 namespaces: 2589 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" 2590 type: array 2591 items: 2592 type: string 2593 topologyKey: 2594 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 2595 type: string 2596 nodeSelector: 2597 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' 2598 type: object 2599 additionalProperties: 2600 type: string 2601 priorityClassName: 2602 description: If specified, the pod's priorityClassName. 2603 type: string 2604 serviceAccountName: 2605 description: If specified, the pod's service account 2606 type: string 2607 tolerations: 2608 description: If specified, the pod's tolerations. 2609 type: array 2610 items: 2611 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>. 2612 type: object 2613 properties: 2614 effect: 2615 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. 2616 type: string 2617 key: 2618 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. 2619 type: string 2620 operator: 2621 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. 2622 type: string 2623 tolerationSeconds: 2624 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. 2625 type: integer 2626 format: int64 2627 value: 2628 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. 2629 type: string 2630 serviceType: 2631 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. 2632 type: string 2633 selector: 2634 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. 2635 type: object 2636 properties: 2637 dnsNames: 2638 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. 2639 type: array 2640 items: 2641 type: string 2642 dnsZones: 2643 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. 2644 type: array 2645 items: 2646 type: string 2647 matchLabels: 2648 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. 2649 type: object 2650 additionalProperties: 2651 type: string 2652 ca: 2653 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager. 2654 type: object 2655 required: 2656 - secretName 2657 properties: 2658 crlDistributionPoints: 2659 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set. 2660 type: array 2661 items: 2662 type: string 2663 ocspServers: 2664 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". 2665 type: array 2666 items: 2667 type: string 2668 secretName: 2669 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer. 2670 type: string 2671 selfSigned: 2672 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object. 2673 type: object 2674 properties: 2675 crlDistributionPoints: 2676 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings. 2677 type: array 2678 items: 2679 type: string 2680 vault: 2681 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend. 2682 type: object 2683 required: 2684 - auth 2685 - path 2686 - server 2687 properties: 2688 auth: 2689 description: Auth configures how cert-manager authenticates with the Vault server. 2690 type: object 2691 properties: 2692 appRole: 2693 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. 2694 type: object 2695 required: 2696 - path 2697 - roleId 2698 - secretRef 2699 properties: 2700 path: 2701 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' 2702 type: string 2703 roleId: 2704 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. 2705 type: string 2706 secretRef: 2707 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. 2708 type: object 2709 required: 2710 - name 2711 properties: 2712 key: 2713 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 2714 type: string 2715 name: 2716 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 2717 type: string 2718 kubernetes: 2719 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. 2720 type: object 2721 required: 2722 - role 2723 - secretRef 2724 properties: 2725 mountPath: 2726 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used. 2727 type: string 2728 role: 2729 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. 2730 type: string 2731 secretRef: 2732 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported. 2733 type: object 2734 required: 2735 - name 2736 properties: 2737 key: 2738 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 2739 type: string 2740 name: 2741 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 2742 type: string 2743 tokenSecretRef: 2744 description: TokenSecretRef authenticates with Vault by presenting a token. 2745 type: object 2746 required: 2747 - name 2748 properties: 2749 key: 2750 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 2751 type: string 2752 name: 2753 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 2754 type: string 2755 caBundle: 2756 description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. 2757 type: string 2758 format: byte 2759 namespace: 2760 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' 2761 type: string 2762 path: 2763 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' 2764 type: string 2765 server: 2766 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' 2767 type: string 2768 venafi: 2769 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone. 2770 type: object 2771 required: 2772 - zone 2773 properties: 2774 cloud: 2775 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified. 2776 type: object 2777 required: 2778 - apiTokenSecretRef 2779 properties: 2780 apiTokenSecretRef: 2781 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. 2782 type: object 2783 required: 2784 - name 2785 properties: 2786 key: 2787 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 2788 type: string 2789 name: 2790 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 2791 type: string 2792 url: 2793 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1". 2794 type: string 2795 tpp: 2796 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified. 2797 type: object 2798 required: 2799 - credentialsRef 2800 - url 2801 properties: 2802 caBundle: 2803 description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates. 2804 type: string 2805 format: byte 2806 credentialsRef: 2807 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'. 2808 type: object 2809 required: 2810 - name 2811 properties: 2812 name: 2813 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 2814 type: string 2815 url: 2816 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' 2817 type: string 2818 zone: 2819 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required. 2820 type: string 2821 status: 2822 description: Status of the ClusterIssuer. This is set and managed automatically. 2823 type: object 2824 properties: 2825 acme: 2826 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates. 2827 type: object 2828 properties: 2829 lastRegisteredEmail: 2830 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer 2831 type: string 2832 uri: 2833 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA 2834 type: string 2835 conditions: 2836 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`. 2837 type: array 2838 items: 2839 description: IssuerCondition contains condition information for an Issuer. 2840 type: object 2841 required: 2842 - status 2843 - type 2844 properties: 2845 lastTransitionTime: 2846 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. 2847 type: string 2848 format: date-time 2849 message: 2850 description: Message is a human readable description of the details of the last transition, complementing reason. 2851 type: string 2852 observedGeneration: 2853 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer. 2854 type: integer 2855 format: int64 2856 reason: 2857 description: Reason is a brief machine readable explanation for the condition's last transition. 2858 type: string 2859 status: 2860 description: Status of the condition, one of (`True`, `False`, `Unknown`). 2861 type: string 2862 enum: 2863 - "True" 2864 - "False" 2865 - Unknown 2866 type: 2867 description: Type of the condition, known values are (`Ready`). 2868 type: string 2869 x-kubernetes-list-map-keys: 2870 - type 2871 x-kubernetes-list-type: map 2872 served: true 2873 storage: true 2874 --- 2875 # Source: cert-manager/templates/crd-templates.yaml 2876 apiVersion: apiextensions.k8s.io/v1 2877 kind: CustomResourceDefinition 2878 metadata: 2879 name: issuers.cert-manager.io 2880 annotations: 2881 cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca' 2882 labels: 2883 app: 'cert-manager' 2884 app.kubernetes.io/name: 'cert-manager' 2885 app.kubernetes.io/instance: 'cert-manager' 2886 # Generated labels 2887 app.kubernetes.io/version: "v1.11.0" 2888 spec: 2889 group: cert-manager.io 2890 names: 2891 kind: Issuer 2892 listKind: IssuerList 2893 plural: issuers 2894 singular: issuer 2895 categories: 2896 - cert-manager 2897 scope: Namespaced 2898 versions: 2899 - name: v1 2900 subresources: 2901 status: {} 2902 additionalPrinterColumns: 2903 - jsonPath: .status.conditions[?(@.type=="Ready")].status 2904 name: Ready 2905 type: string 2906 - jsonPath: .status.conditions[?(@.type=="Ready")].message 2907 name: Status 2908 priority: 1 2909 type: string 2910 - jsonPath: .metadata.creationTimestamp 2911 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 2912 name: Age 2913 type: date 2914 schema: 2915 openAPIV3Schema: 2916 description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace. 2917 type: object 2918 required: 2919 - spec 2920 properties: 2921 apiVersion: 2922 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2923 type: string 2924 kind: 2925 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2926 type: string 2927 metadata: 2928 type: object 2929 spec: 2930 description: Desired state of the Issuer resource. 2931 type: object 2932 properties: 2933 acme: 2934 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates. 2935 type: object 2936 required: 2937 - privateKeySecretRef 2938 - server 2939 properties: 2940 disableAccountKeyGeneration: 2941 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false. 2942 type: boolean 2943 email: 2944 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. 2945 type: string 2946 enableDurationFeature: 2947 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. 2948 type: boolean 2949 externalAccountBinding: 2950 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. 2951 type: object 2952 required: 2953 - keyID 2954 - keySecretRef 2955 properties: 2956 keyAlgorithm: 2957 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.' 2958 type: string 2959 enum: 2960 - HS256 2961 - HS384 2962 - HS512 2963 keyID: 2964 description: keyID is the ID of the CA key that the External Account is bound to. 2965 type: string 2966 keySecretRef: 2967 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data. 2968 type: object 2969 required: 2970 - name 2971 properties: 2972 key: 2973 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 2974 type: string 2975 name: 2976 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 2977 type: string 2978 preferredChain: 2979 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN' 2980 type: string 2981 maxLength: 64 2982 privateKeySecretRef: 2983 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used. 2984 type: object 2985 required: 2986 - name 2987 properties: 2988 key: 2989 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 2990 type: string 2991 name: 2992 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 2993 type: string 2994 server: 2995 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' 2996 type: string 2997 skipTLSVerify: 2998 description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false. 2999 type: boolean 3000 solvers: 3001 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' 3002 type: array 3003 items: 3004 description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided. 3005 type: object 3006 properties: 3007 dns01: 3008 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. 3009 type: object 3010 properties: 3011 acmeDNS: 3012 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. 3013 type: object 3014 required: 3015 - accountSecretRef 3016 - host 3017 properties: 3018 accountSecretRef: 3019 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 3020 type: object 3021 required: 3022 - name 3023 properties: 3024 key: 3025 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3026 type: string 3027 name: 3028 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3029 type: string 3030 host: 3031 type: string 3032 akamai: 3033 description: Use the Akamai DNS zone management API to manage DNS01 challenge records. 3034 type: object 3035 required: 3036 - accessTokenSecretRef 3037 - clientSecretSecretRef 3038 - clientTokenSecretRef 3039 - serviceConsumerDomain 3040 properties: 3041 accessTokenSecretRef: 3042 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 3043 type: object 3044 required: 3045 - name 3046 properties: 3047 key: 3048 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3049 type: string 3050 name: 3051 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3052 type: string 3053 clientSecretSecretRef: 3054 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 3055 type: object 3056 required: 3057 - name 3058 properties: 3059 key: 3060 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3061 type: string 3062 name: 3063 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3064 type: string 3065 clientTokenSecretRef: 3066 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 3067 type: object 3068 required: 3069 - name 3070 properties: 3071 key: 3072 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3073 type: string 3074 name: 3075 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3076 type: string 3077 serviceConsumerDomain: 3078 type: string 3079 azureDNS: 3080 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. 3081 type: object 3082 required: 3083 - resourceGroupName 3084 - subscriptionID 3085 properties: 3086 clientID: 3087 description: if both this and ClientSecret are left unset MSI will be used 3088 type: string 3089 clientSecretSecretRef: 3090 description: if both this and ClientID are left unset MSI will be used 3091 type: object 3092 required: 3093 - name 3094 properties: 3095 key: 3096 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3097 type: string 3098 name: 3099 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3100 type: string 3101 environment: 3102 description: name of the Azure environment (default AzurePublicCloud) 3103 type: string 3104 enum: 3105 - AzurePublicCloud 3106 - AzureChinaCloud 3107 - AzureGermanCloud 3108 - AzureUSGovernmentCloud 3109 hostedZoneName: 3110 description: name of the DNS zone that should be used 3111 type: string 3112 managedIdentity: 3113 description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID 3114 type: object 3115 properties: 3116 clientID: 3117 description: client ID of the managed identity, can not be used at the same time as resourceID 3118 type: string 3119 resourceID: 3120 description: resource ID of the managed identity, can not be used at the same time as clientID 3121 type: string 3122 resourceGroupName: 3123 description: resource group the DNS zone is located in 3124 type: string 3125 subscriptionID: 3126 description: ID of the Azure subscription 3127 type: string 3128 tenantID: 3129 description: when specifying ClientID and ClientSecret then this field is also needed 3130 type: string 3131 cloudDNS: 3132 description: Use the Google Cloud DNS API to manage DNS01 challenge records. 3133 type: object 3134 required: 3135 - project 3136 properties: 3137 hostedZoneName: 3138 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. 3139 type: string 3140 project: 3141 type: string 3142 serviceAccountSecretRef: 3143 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 3144 type: object 3145 required: 3146 - name 3147 properties: 3148 key: 3149 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3150 type: string 3151 name: 3152 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3153 type: string 3154 cloudflare: 3155 description: Use the Cloudflare API to manage DNS01 challenge records. 3156 type: object 3157 properties: 3158 apiKeySecretRef: 3159 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' 3160 type: object 3161 required: 3162 - name 3163 properties: 3164 key: 3165 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3166 type: string 3167 name: 3168 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3169 type: string 3170 apiTokenSecretRef: 3171 description: API token used to authenticate with Cloudflare. 3172 type: object 3173 required: 3174 - name 3175 properties: 3176 key: 3177 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3178 type: string 3179 name: 3180 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3181 type: string 3182 email: 3183 description: Email of the account, only required when using API key based authentication. 3184 type: string 3185 cnameStrategy: 3186 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. 3187 type: string 3188 enum: 3189 - None 3190 - Follow 3191 digitalocean: 3192 description: Use the DigitalOcean DNS API to manage DNS01 challenge records. 3193 type: object 3194 required: 3195 - tokenSecretRef 3196 properties: 3197 tokenSecretRef: 3198 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 3199 type: object 3200 required: 3201 - name 3202 properties: 3203 key: 3204 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3205 type: string 3206 name: 3207 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3208 type: string 3209 rfc2136: 3210 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. 3211 type: object 3212 required: 3213 - nameserver 3214 properties: 3215 nameserver: 3216 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required. 3217 type: string 3218 tsigAlgorithm: 3219 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' 3220 type: string 3221 tsigKeyName: 3222 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. 3223 type: string 3224 tsigSecretSecretRef: 3225 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. 3226 type: object 3227 required: 3228 - name 3229 properties: 3230 key: 3231 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3232 type: string 3233 name: 3234 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3235 type: string 3236 route53: 3237 description: Use the AWS Route53 API to manage DNS01 challenge records. 3238 type: object 3239 required: 3240 - region 3241 properties: 3242 accessKeyID: 3243 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' 3244 type: string 3245 hostedZoneID: 3246 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. 3247 type: string 3248 region: 3249 description: Always set the region when using AccessKeyID and SecretAccessKey 3250 type: string 3251 role: 3252 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata 3253 type: string 3254 secretAccessKeySecretRef: 3255 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials 3256 type: object 3257 required: 3258 - name 3259 properties: 3260 key: 3261 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3262 type: string 3263 name: 3264 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3265 type: string 3266 webhook: 3267 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. 3268 type: object 3269 required: 3270 - groupName 3271 - solverName 3272 properties: 3273 config: 3274 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. 3275 x-kubernetes-preserve-unknown-fields: true 3276 groupName: 3277 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. 3278 type: string 3279 solverName: 3280 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. 3281 type: string 3282 http01: 3283 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. 3284 type: object 3285 properties: 3286 gatewayHTTPRoute: 3287 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behavior may change in the future. 3288 type: object 3289 properties: 3290 labels: 3291 description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges. 3292 type: object 3293 additionalProperties: 3294 type: string 3295 parentRefs: 3296 description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways' 3297 type: array 3298 items: 3299 description: "ParentRef identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object." 3300 type: object 3301 required: 3302 - name 3303 properties: 3304 group: 3305 description: "Group is the group of the referent. \n Support: Core" 3306 type: string 3307 default: gateway.networking.k8s.io 3308 maxLength: 253 3309 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 3310 kind: 3311 description: "Kind is kind of the referent. \n Support: Core (Gateway) Support: Custom (Other Resources)" 3312 type: string 3313 default: Gateway 3314 maxLength: 63 3315 minLength: 1 3316 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 3317 name: 3318 description: "Name is the name of the referent. \n Support: Core" 3319 type: string 3320 maxLength: 253 3321 minLength: 1 3322 namespace: 3323 description: "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core" 3324 type: string 3325 maxLength: 63 3326 minLength: 1 3327 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 3328 sectionName: 3329 description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" 3330 type: string 3331 maxLength: 253 3332 minLength: 1 3333 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 3334 serviceType: 3335 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. 3336 type: string 3337 ingress: 3338 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. 3339 type: object 3340 properties: 3341 class: 3342 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified. 3343 type: string 3344 ingressTemplate: 3345 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. 3346 type: object 3347 properties: 3348 metadata: 3349 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. 3350 type: object 3351 properties: 3352 annotations: 3353 description: Annotations that should be added to the created ACME HTTP01 solver ingress. 3354 type: object 3355 additionalProperties: 3356 type: string 3357 labels: 3358 description: Labels that should be added to the created ACME HTTP01 solver ingress. 3359 type: object 3360 additionalProperties: 3361 type: string 3362 name: 3363 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. 3364 type: string 3365 podTemplate: 3366 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. 3367 type: object 3368 properties: 3369 metadata: 3370 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. 3371 type: object 3372 properties: 3373 annotations: 3374 description: Annotations that should be added to the create ACME HTTP01 solver pods. 3375 type: object 3376 additionalProperties: 3377 type: string 3378 labels: 3379 description: Labels that should be added to the created ACME HTTP01 solver pods. 3380 type: object 3381 additionalProperties: 3382 type: string 3383 spec: 3384 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored. 3385 type: object 3386 properties: 3387 affinity: 3388 description: If specified, the pod's scheduling constraints 3389 type: object 3390 properties: 3391 nodeAffinity: 3392 description: Describes node affinity scheduling rules for the pod. 3393 type: object 3394 properties: 3395 preferredDuringSchedulingIgnoredDuringExecution: 3396 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. 3397 type: array 3398 items: 3399 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). 3400 type: object 3401 required: 3402 - preference 3403 - weight 3404 properties: 3405 preference: 3406 description: A node selector term, associated with the corresponding weight. 3407 type: object 3408 properties: 3409 matchExpressions: 3410 description: A list of node selector requirements by node's labels. 3411 type: array 3412 items: 3413 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3414 type: object 3415 required: 3416 - key 3417 - operator 3418 properties: 3419 key: 3420 description: The label key that the selector applies to. 3421 type: string 3422 operator: 3423 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 3424 type: string 3425 values: 3426 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 3427 type: array 3428 items: 3429 type: string 3430 matchFields: 3431 description: A list of node selector requirements by node's fields. 3432 type: array 3433 items: 3434 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3435 type: object 3436 required: 3437 - key 3438 - operator 3439 properties: 3440 key: 3441 description: The label key that the selector applies to. 3442 type: string 3443 operator: 3444 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 3445 type: string 3446 values: 3447 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 3448 type: array 3449 items: 3450 type: string 3451 weight: 3452 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. 3453 type: integer 3454 format: int32 3455 requiredDuringSchedulingIgnoredDuringExecution: 3456 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. 3457 type: object 3458 required: 3459 - nodeSelectorTerms 3460 properties: 3461 nodeSelectorTerms: 3462 description: Required. A list of node selector terms. The terms are ORed. 3463 type: array 3464 items: 3465 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. 3466 type: object 3467 properties: 3468 matchExpressions: 3469 description: A list of node selector requirements by node's labels. 3470 type: array 3471 items: 3472 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3473 type: object 3474 required: 3475 - key 3476 - operator 3477 properties: 3478 key: 3479 description: The label key that the selector applies to. 3480 type: string 3481 operator: 3482 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 3483 type: string 3484 values: 3485 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 3486 type: array 3487 items: 3488 type: string 3489 matchFields: 3490 description: A list of node selector requirements by node's fields. 3491 type: array 3492 items: 3493 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3494 type: object 3495 required: 3496 - key 3497 - operator 3498 properties: 3499 key: 3500 description: The label key that the selector applies to. 3501 type: string 3502 operator: 3503 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 3504 type: string 3505 values: 3506 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 3507 type: array 3508 items: 3509 type: string 3510 podAffinity: 3511 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). 3512 type: object 3513 properties: 3514 preferredDuringSchedulingIgnoredDuringExecution: 3515 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. 3516 type: array 3517 items: 3518 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 3519 type: object 3520 required: 3521 - podAffinityTerm 3522 - weight 3523 properties: 3524 podAffinityTerm: 3525 description: Required. A pod affinity term, associated with the corresponding weight. 3526 type: object 3527 required: 3528 - topologyKey 3529 properties: 3530 labelSelector: 3531 description: A label query over a set of resources, in this case pods. 3532 type: object 3533 properties: 3534 matchExpressions: 3535 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3536 type: array 3537 items: 3538 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3539 type: object 3540 required: 3541 - key 3542 - operator 3543 properties: 3544 key: 3545 description: key is the label key that the selector applies to. 3546 type: string 3547 operator: 3548 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 3549 type: string 3550 values: 3551 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 3552 type: array 3553 items: 3554 type: string 3555 matchLabels: 3556 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 3557 type: object 3558 additionalProperties: 3559 type: string 3560 namespaceSelector: 3561 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. 3562 type: object 3563 properties: 3564 matchExpressions: 3565 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3566 type: array 3567 items: 3568 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3569 type: object 3570 required: 3571 - key 3572 - operator 3573 properties: 3574 key: 3575 description: key is the label key that the selector applies to. 3576 type: string 3577 operator: 3578 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 3579 type: string 3580 values: 3581 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 3582 type: array 3583 items: 3584 type: string 3585 matchLabels: 3586 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 3587 type: object 3588 additionalProperties: 3589 type: string 3590 namespaces: 3591 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" 3592 type: array 3593 items: 3594 type: string 3595 topologyKey: 3596 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 3597 type: string 3598 weight: 3599 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. 3600 type: integer 3601 format: int32 3602 requiredDuringSchedulingIgnoredDuringExecution: 3603 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. 3604 type: array 3605 items: 3606 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running 3607 type: object 3608 required: 3609 - topologyKey 3610 properties: 3611 labelSelector: 3612 description: A label query over a set of resources, in this case pods. 3613 type: object 3614 properties: 3615 matchExpressions: 3616 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3617 type: array 3618 items: 3619 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3620 type: object 3621 required: 3622 - key 3623 - operator 3624 properties: 3625 key: 3626 description: key is the label key that the selector applies to. 3627 type: string 3628 operator: 3629 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 3630 type: string 3631 values: 3632 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 3633 type: array 3634 items: 3635 type: string 3636 matchLabels: 3637 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 3638 type: object 3639 additionalProperties: 3640 type: string 3641 namespaceSelector: 3642 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. 3643 type: object 3644 properties: 3645 matchExpressions: 3646 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3647 type: array 3648 items: 3649 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3650 type: object 3651 required: 3652 - key 3653 - operator 3654 properties: 3655 key: 3656 description: key is the label key that the selector applies to. 3657 type: string 3658 operator: 3659 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 3660 type: string 3661 values: 3662 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 3663 type: array 3664 items: 3665 type: string 3666 matchLabels: 3667 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 3668 type: object 3669 additionalProperties: 3670 type: string 3671 namespaces: 3672 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" 3673 type: array 3674 items: 3675 type: string 3676 topologyKey: 3677 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 3678 type: string 3679 podAntiAffinity: 3680 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). 3681 type: object 3682 properties: 3683 preferredDuringSchedulingIgnoredDuringExecution: 3684 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. 3685 type: array 3686 items: 3687 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 3688 type: object 3689 required: 3690 - podAffinityTerm 3691 - weight 3692 properties: 3693 podAffinityTerm: 3694 description: Required. A pod affinity term, associated with the corresponding weight. 3695 type: object 3696 required: 3697 - topologyKey 3698 properties: 3699 labelSelector: 3700 description: A label query over a set of resources, in this case pods. 3701 type: object 3702 properties: 3703 matchExpressions: 3704 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3705 type: array 3706 items: 3707 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3708 type: object 3709 required: 3710 - key 3711 - operator 3712 properties: 3713 key: 3714 description: key is the label key that the selector applies to. 3715 type: string 3716 operator: 3717 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 3718 type: string 3719 values: 3720 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 3721 type: array 3722 items: 3723 type: string 3724 matchLabels: 3725 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 3726 type: object 3727 additionalProperties: 3728 type: string 3729 namespaceSelector: 3730 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. 3731 type: object 3732 properties: 3733 matchExpressions: 3734 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3735 type: array 3736 items: 3737 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3738 type: object 3739 required: 3740 - key 3741 - operator 3742 properties: 3743 key: 3744 description: key is the label key that the selector applies to. 3745 type: string 3746 operator: 3747 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 3748 type: string 3749 values: 3750 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 3751 type: array 3752 items: 3753 type: string 3754 matchLabels: 3755 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 3756 type: object 3757 additionalProperties: 3758 type: string 3759 namespaces: 3760 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" 3761 type: array 3762 items: 3763 type: string 3764 topologyKey: 3765 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 3766 type: string 3767 weight: 3768 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. 3769 type: integer 3770 format: int32 3771 requiredDuringSchedulingIgnoredDuringExecution: 3772 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. 3773 type: array 3774 items: 3775 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running 3776 type: object 3777 required: 3778 - topologyKey 3779 properties: 3780 labelSelector: 3781 description: A label query over a set of resources, in this case pods. 3782 type: object 3783 properties: 3784 matchExpressions: 3785 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3786 type: array 3787 items: 3788 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3789 type: object 3790 required: 3791 - key 3792 - operator 3793 properties: 3794 key: 3795 description: key is the label key that the selector applies to. 3796 type: string 3797 operator: 3798 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 3799 type: string 3800 values: 3801 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 3802 type: array 3803 items: 3804 type: string 3805 matchLabels: 3806 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 3807 type: object 3808 additionalProperties: 3809 type: string 3810 namespaceSelector: 3811 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. 3812 type: object 3813 properties: 3814 matchExpressions: 3815 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3816 type: array 3817 items: 3818 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3819 type: object 3820 required: 3821 - key 3822 - operator 3823 properties: 3824 key: 3825 description: key is the label key that the selector applies to. 3826 type: string 3827 operator: 3828 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 3829 type: string 3830 values: 3831 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 3832 type: array 3833 items: 3834 type: string 3835 matchLabels: 3836 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 3837 type: object 3838 additionalProperties: 3839 type: string 3840 namespaces: 3841 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" 3842 type: array 3843 items: 3844 type: string 3845 topologyKey: 3846 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 3847 type: string 3848 nodeSelector: 3849 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' 3850 type: object 3851 additionalProperties: 3852 type: string 3853 priorityClassName: 3854 description: If specified, the pod's priorityClassName. 3855 type: string 3856 serviceAccountName: 3857 description: If specified, the pod's service account 3858 type: string 3859 tolerations: 3860 description: If specified, the pod's tolerations. 3861 type: array 3862 items: 3863 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>. 3864 type: object 3865 properties: 3866 effect: 3867 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. 3868 type: string 3869 key: 3870 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. 3871 type: string 3872 operator: 3873 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. 3874 type: string 3875 tolerationSeconds: 3876 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. 3877 type: integer 3878 format: int64 3879 value: 3880 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. 3881 type: string 3882 serviceType: 3883 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. 3884 type: string 3885 selector: 3886 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. 3887 type: object 3888 properties: 3889 dnsNames: 3890 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. 3891 type: array 3892 items: 3893 type: string 3894 dnsZones: 3895 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. 3896 type: array 3897 items: 3898 type: string 3899 matchLabels: 3900 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. 3901 type: object 3902 additionalProperties: 3903 type: string 3904 ca: 3905 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager. 3906 type: object 3907 required: 3908 - secretName 3909 properties: 3910 crlDistributionPoints: 3911 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set. 3912 type: array 3913 items: 3914 type: string 3915 ocspServers: 3916 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". 3917 type: array 3918 items: 3919 type: string 3920 secretName: 3921 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer. 3922 type: string 3923 selfSigned: 3924 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object. 3925 type: object 3926 properties: 3927 crlDistributionPoints: 3928 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings. 3929 type: array 3930 items: 3931 type: string 3932 vault: 3933 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend. 3934 type: object 3935 required: 3936 - auth 3937 - path 3938 - server 3939 properties: 3940 auth: 3941 description: Auth configures how cert-manager authenticates with the Vault server. 3942 type: object 3943 properties: 3944 appRole: 3945 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. 3946 type: object 3947 required: 3948 - path 3949 - roleId 3950 - secretRef 3951 properties: 3952 path: 3953 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' 3954 type: string 3955 roleId: 3956 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. 3957 type: string 3958 secretRef: 3959 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. 3960 type: object 3961 required: 3962 - name 3963 properties: 3964 key: 3965 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3966 type: string 3967 name: 3968 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3969 type: string 3970 kubernetes: 3971 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. 3972 type: object 3973 required: 3974 - role 3975 - secretRef 3976 properties: 3977 mountPath: 3978 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used. 3979 type: string 3980 role: 3981 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. 3982 type: string 3983 secretRef: 3984 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported. 3985 type: object 3986 required: 3987 - name 3988 properties: 3989 key: 3990 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3991 type: string 3992 name: 3993 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3994 type: string 3995 tokenSecretRef: 3996 description: TokenSecretRef authenticates with Vault by presenting a token. 3997 type: object 3998 required: 3999 - name 4000 properties: 4001 key: 4002 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 4003 type: string 4004 name: 4005 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 4006 type: string 4007 caBundle: 4008 description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. 4009 type: string 4010 format: byte 4011 namespace: 4012 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' 4013 type: string 4014 path: 4015 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' 4016 type: string 4017 server: 4018 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' 4019 type: string 4020 venafi: 4021 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone. 4022 type: object 4023 required: 4024 - zone 4025 properties: 4026 cloud: 4027 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified. 4028 type: object 4029 required: 4030 - apiTokenSecretRef 4031 properties: 4032 apiTokenSecretRef: 4033 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. 4034 type: object 4035 required: 4036 - name 4037 properties: 4038 key: 4039 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 4040 type: string 4041 name: 4042 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 4043 type: string 4044 url: 4045 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1". 4046 type: string 4047 tpp: 4048 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified. 4049 type: object 4050 required: 4051 - credentialsRef 4052 - url 4053 properties: 4054 caBundle: 4055 description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates. 4056 type: string 4057 format: byte 4058 credentialsRef: 4059 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'. 4060 type: object 4061 required: 4062 - name 4063 properties: 4064 name: 4065 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 4066 type: string 4067 url: 4068 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' 4069 type: string 4070 zone: 4071 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required. 4072 type: string 4073 status: 4074 description: Status of the Issuer. This is set and managed automatically. 4075 type: object 4076 properties: 4077 acme: 4078 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates. 4079 type: object 4080 properties: 4081 lastRegisteredEmail: 4082 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer 4083 type: string 4084 uri: 4085 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA 4086 type: string 4087 conditions: 4088 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`. 4089 type: array 4090 items: 4091 description: IssuerCondition contains condition information for an Issuer. 4092 type: object 4093 required: 4094 - status 4095 - type 4096 properties: 4097 lastTransitionTime: 4098 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. 4099 type: string 4100 format: date-time 4101 message: 4102 description: Message is a human readable description of the details of the last transition, complementing reason. 4103 type: string 4104 observedGeneration: 4105 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer. 4106 type: integer 4107 format: int64 4108 reason: 4109 description: Reason is a brief machine readable explanation for the condition's last transition. 4110 type: string 4111 status: 4112 description: Status of the condition, one of (`True`, `False`, `Unknown`). 4113 type: string 4114 enum: 4115 - "True" 4116 - "False" 4117 - Unknown 4118 type: 4119 description: Type of the condition, known values are (`Ready`). 4120 type: string 4121 x-kubernetes-list-map-keys: 4122 - type 4123 x-kubernetes-list-type: map 4124 served: true 4125 storage: true 4126 --- 4127 # Source: cert-manager/templates/crd-templates.yaml 4128 apiVersion: apiextensions.k8s.io/v1 4129 kind: CustomResourceDefinition 4130 metadata: 4131 name: orders.acme.cert-manager.io 4132 annotations: 4133 cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca' 4134 labels: 4135 app: 'cert-manager' 4136 app.kubernetes.io/name: 'cert-manager' 4137 app.kubernetes.io/instance: 'cert-manager' 4138 # Generated labels 4139 app.kubernetes.io/version: "v1.11.0" 4140 spec: 4141 group: acme.cert-manager.io 4142 names: 4143 kind: Order 4144 listKind: OrderList 4145 plural: orders 4146 singular: order 4147 categories: 4148 - cert-manager 4149 - cert-manager-acme 4150 scope: Namespaced 4151 versions: 4152 - name: v1 4153 subresources: 4154 status: {} 4155 additionalPrinterColumns: 4156 - jsonPath: .status.state 4157 name: State 4158 type: string 4159 - jsonPath: .spec.issuerRef.name 4160 name: Issuer 4161 priority: 1 4162 type: string 4163 - jsonPath: .status.reason 4164 name: Reason 4165 priority: 1 4166 type: string 4167 - jsonPath: .metadata.creationTimestamp 4168 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 4169 name: Age 4170 type: date 4171 schema: 4172 openAPIV3Schema: 4173 description: Order is a type to represent an Order with an ACME server 4174 type: object 4175 required: 4176 - metadata 4177 - spec 4178 properties: 4179 apiVersion: 4180 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 4181 type: string 4182 kind: 4183 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 4184 type: string 4185 metadata: 4186 type: object 4187 spec: 4188 type: object 4189 required: 4190 - issuerRef 4191 - request 4192 properties: 4193 commonName: 4194 description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR. 4195 type: string 4196 dnsNames: 4197 description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR. 4198 type: array 4199 items: 4200 type: string 4201 duration: 4202 description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec. 4203 type: string 4204 ipAddresses: 4205 description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR. 4206 type: array 4207 items: 4208 type: string 4209 issuerRef: 4210 description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed. 4211 type: object 4212 required: 4213 - name 4214 properties: 4215 group: 4216 description: Group of the resource being referred to. 4217 type: string 4218 kind: 4219 description: Kind of the resource being referred to. 4220 type: string 4221 name: 4222 description: Name of the resource being referred to. 4223 type: string 4224 request: 4225 description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order. 4226 type: string 4227 format: byte 4228 status: 4229 type: object 4230 properties: 4231 authorizations: 4232 description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order. 4233 type: array 4234 items: 4235 description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource. 4236 type: object 4237 required: 4238 - url 4239 properties: 4240 challenges: 4241 description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process. 4242 type: array 4243 items: 4244 description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process. 4245 type: object 4246 required: 4247 - token 4248 - type 4249 - url 4250 properties: 4251 token: 4252 description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented. 4253 type: string 4254 type: 4255 description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored. 4256 type: string 4257 url: 4258 description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server. 4259 type: string 4260 identifier: 4261 description: Identifier is the DNS name to be validated as part of this authorization 4262 type: string 4263 initialState: 4264 description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created. 4265 type: string 4266 enum: 4267 - valid 4268 - ready 4269 - pending 4270 - processing 4271 - invalid 4272 - expired 4273 - errored 4274 url: 4275 description: URL is the URL of the Authorization that must be completed 4276 type: string 4277 wildcard: 4278 description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'. 4279 type: boolean 4280 certificate: 4281 description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state. 4282 type: string 4283 format: byte 4284 failureTime: 4285 description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off. 4286 type: string 4287 format: date-time 4288 finalizeURL: 4289 description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed. 4290 type: string 4291 reason: 4292 description: Reason optionally provides more information about a why the order is in the current state. 4293 type: string 4294 state: 4295 description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final' 4296 type: string 4297 enum: 4298 - valid 4299 - ready 4300 - pending 4301 - processing 4302 - invalid 4303 - expired 4304 - errored 4305 url: 4306 description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set. 4307 type: string 4308 served: true 4309 storage: true 4310 --- 4311 # Source: cert-manager/templates/cainjector-serviceaccount.yaml 4312 apiVersion: v1 4313 kind: ServiceAccount 4314 automountServiceAccountToken: true 4315 metadata: 4316 name: cert-manager-cainjector 4317 namespace: "cert-manager" 4318 labels: 4319 app: cainjector 4320 app.kubernetes.io/name: cainjector 4321 app.kubernetes.io/instance: cert-manager 4322 app.kubernetes.io/component: "cainjector" 4323 app.kubernetes.io/version: "v1.11.0" 4324 --- 4325 # Source: cert-manager/templates/serviceaccount.yaml 4326 apiVersion: v1 4327 kind: ServiceAccount 4328 automountServiceAccountToken: true 4329 metadata: 4330 name: cert-manager 4331 namespace: "cert-manager" 4332 labels: 4333 app: cert-manager 4334 app.kubernetes.io/name: cert-manager 4335 app.kubernetes.io/instance: cert-manager 4336 app.kubernetes.io/component: "controller" 4337 app.kubernetes.io/version: "v1.11.0" 4338 --- 4339 # Source: cert-manager/templates/webhook-serviceaccount.yaml 4340 apiVersion: v1 4341 kind: ServiceAccount 4342 automountServiceAccountToken: true 4343 metadata: 4344 name: cert-manager-webhook 4345 namespace: "cert-manager" 4346 labels: 4347 app: webhook 4348 app.kubernetes.io/name: webhook 4349 app.kubernetes.io/instance: cert-manager 4350 app.kubernetes.io/component: "webhook" 4351 app.kubernetes.io/version: "v1.11.0" 4352 --- 4353 # Source: cert-manager/templates/webhook-config.yaml 4354 apiVersion: v1 4355 kind: ConfigMap 4356 metadata: 4357 name: cert-manager-webhook 4358 namespace: "cert-manager" 4359 labels: 4360 app: webhook 4361 app.kubernetes.io/name: webhook 4362 app.kubernetes.io/instance: cert-manager 4363 app.kubernetes.io/component: "webhook" 4364 data: 4365 --- 4366 # Source: cert-manager/templates/cainjector-rbac.yaml 4367 apiVersion: rbac.authorization.k8s.io/v1 4368 kind: ClusterRole 4369 metadata: 4370 name: cert-manager-cainjector 4371 labels: 4372 app: cainjector 4373 app.kubernetes.io/name: cainjector 4374 app.kubernetes.io/instance: cert-manager 4375 app.kubernetes.io/component: "cainjector" 4376 app.kubernetes.io/version: "v1.11.0" 4377 rules: 4378 - apiGroups: ["cert-manager.io"] 4379 resources: ["certificates"] 4380 verbs: ["get", "list", "watch"] 4381 - apiGroups: [""] 4382 resources: ["secrets"] 4383 verbs: ["get", "list", "watch"] 4384 - apiGroups: [""] 4385 resources: ["events"] 4386 verbs: ["get", "create", "update", "patch"] 4387 - apiGroups: ["admissionregistration.k8s.io"] 4388 resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] 4389 verbs: ["get", "list", "watch", "update"] 4390 - apiGroups: ["apiregistration.k8s.io"] 4391 resources: ["apiservices"] 4392 verbs: ["get", "list", "watch", "update"] 4393 - apiGroups: ["apiextensions.k8s.io"] 4394 resources: ["customresourcedefinitions"] 4395 verbs: ["get", "list", "watch", "update"] 4396 --- 4397 # Source: cert-manager/templates/rbac.yaml 4398 # Issuer controller role 4399 apiVersion: rbac.authorization.k8s.io/v1 4400 kind: ClusterRole 4401 metadata: 4402 name: cert-manager-controller-issuers 4403 labels: 4404 app: cert-manager 4405 app.kubernetes.io/name: cert-manager 4406 app.kubernetes.io/instance: cert-manager 4407 app.kubernetes.io/component: "controller" 4408 app.kubernetes.io/version: "v1.11.0" 4409 rules: 4410 - apiGroups: ["cert-manager.io"] 4411 resources: ["issuers", "issuers/status"] 4412 verbs: ["update", "patch"] 4413 - apiGroups: ["cert-manager.io"] 4414 resources: ["issuers"] 4415 verbs: ["get", "list", "watch"] 4416 - apiGroups: [""] 4417 resources: ["secrets"] 4418 verbs: ["get", "list", "watch", "create", "update", "delete"] 4419 - apiGroups: [""] 4420 resources: ["events"] 4421 verbs: ["create", "patch"] 4422 --- 4423 # Source: cert-manager/templates/rbac.yaml 4424 # ClusterIssuer controller role 4425 apiVersion: rbac.authorization.k8s.io/v1 4426 kind: ClusterRole 4427 metadata: 4428 name: cert-manager-controller-clusterissuers 4429 labels: 4430 app: cert-manager 4431 app.kubernetes.io/name: cert-manager 4432 app.kubernetes.io/instance: cert-manager 4433 app.kubernetes.io/component: "controller" 4434 app.kubernetes.io/version: "v1.11.0" 4435 rules: 4436 - apiGroups: ["cert-manager.io"] 4437 resources: ["clusterissuers", "clusterissuers/status"] 4438 verbs: ["update", "patch"] 4439 - apiGroups: ["cert-manager.io"] 4440 resources: ["clusterissuers"] 4441 verbs: ["get", "list", "watch"] 4442 - apiGroups: [""] 4443 resources: ["secrets"] 4444 verbs: ["get", "list", "watch", "create", "update", "delete"] 4445 - apiGroups: [""] 4446 resources: ["events"] 4447 verbs: ["create", "patch"] 4448 --- 4449 # Source: cert-manager/templates/rbac.yaml 4450 # Certificates controller role 4451 apiVersion: rbac.authorization.k8s.io/v1 4452 kind: ClusterRole 4453 metadata: 4454 name: cert-manager-controller-certificates 4455 labels: 4456 app: cert-manager 4457 app.kubernetes.io/name: cert-manager 4458 app.kubernetes.io/instance: cert-manager 4459 app.kubernetes.io/component: "controller" 4460 app.kubernetes.io/version: "v1.11.0" 4461 rules: 4462 - apiGroups: ["cert-manager.io"] 4463 resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"] 4464 verbs: ["update", "patch"] 4465 - apiGroups: ["cert-manager.io"] 4466 resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"] 4467 verbs: ["get", "list", "watch"] 4468 # We require these rules to support users with the OwnerReferencesPermissionEnforcement 4469 # admission controller enabled: 4470 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement 4471 - apiGroups: ["cert-manager.io"] 4472 resources: ["certificates/finalizers", "certificaterequests/finalizers"] 4473 verbs: ["update"] 4474 - apiGroups: ["acme.cert-manager.io"] 4475 resources: ["orders"] 4476 verbs: ["create", "delete", "get", "list", "watch"] 4477 - apiGroups: [""] 4478 resources: ["secrets"] 4479 verbs: ["get", "list", "watch", "create", "update", "delete", "patch"] 4480 - apiGroups: [""] 4481 resources: ["events"] 4482 verbs: ["create", "patch"] 4483 --- 4484 # Source: cert-manager/templates/rbac.yaml 4485 # Orders controller role 4486 apiVersion: rbac.authorization.k8s.io/v1 4487 kind: ClusterRole 4488 metadata: 4489 name: cert-manager-controller-orders 4490 labels: 4491 app: cert-manager 4492 app.kubernetes.io/name: cert-manager 4493 app.kubernetes.io/instance: cert-manager 4494 app.kubernetes.io/component: "controller" 4495 app.kubernetes.io/version: "v1.11.0" 4496 rules: 4497 - apiGroups: ["acme.cert-manager.io"] 4498 resources: ["orders", "orders/status"] 4499 verbs: ["update", "patch"] 4500 - apiGroups: ["acme.cert-manager.io"] 4501 resources: ["orders", "challenges"] 4502 verbs: ["get", "list", "watch"] 4503 - apiGroups: ["cert-manager.io"] 4504 resources: ["clusterissuers", "issuers"] 4505 verbs: ["get", "list", "watch"] 4506 - apiGroups: ["acme.cert-manager.io"] 4507 resources: ["challenges"] 4508 verbs: ["create", "delete"] 4509 # We require these rules to support users with the OwnerReferencesPermissionEnforcement 4510 # admission controller enabled: 4511 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement 4512 - apiGroups: ["acme.cert-manager.io"] 4513 resources: ["orders/finalizers"] 4514 verbs: ["update"] 4515 - apiGroups: [""] 4516 resources: ["secrets"] 4517 verbs: ["get", "list", "watch"] 4518 - apiGroups: [""] 4519 resources: ["events"] 4520 verbs: ["create", "patch"] 4521 --- 4522 # Source: cert-manager/templates/rbac.yaml 4523 # Challenges controller role 4524 apiVersion: rbac.authorization.k8s.io/v1 4525 kind: ClusterRole 4526 metadata: 4527 name: cert-manager-controller-challenges 4528 labels: 4529 app: cert-manager 4530 app.kubernetes.io/name: cert-manager 4531 app.kubernetes.io/instance: cert-manager 4532 app.kubernetes.io/component: "controller" 4533 app.kubernetes.io/version: "v1.11.0" 4534 rules: 4535 # Use to update challenge resource status 4536 - apiGroups: ["acme.cert-manager.io"] 4537 resources: ["challenges", "challenges/status"] 4538 verbs: ["update", "patch"] 4539 # Used to watch challenge resources 4540 - apiGroups: ["acme.cert-manager.io"] 4541 resources: ["challenges"] 4542 verbs: ["get", "list", "watch"] 4543 # Used to watch challenges, issuer and clusterissuer resources 4544 - apiGroups: ["cert-manager.io"] 4545 resources: ["issuers", "clusterissuers"] 4546 verbs: ["get", "list", "watch"] 4547 # Need to be able to retrieve ACME account private key to complete challenges 4548 - apiGroups: [""] 4549 resources: ["secrets"] 4550 verbs: ["get", "list", "watch"] 4551 # Used to create events 4552 - apiGroups: [""] 4553 resources: ["events"] 4554 verbs: ["create", "patch"] 4555 # HTTP01 rules 4556 - apiGroups: [""] 4557 resources: ["pods", "services"] 4558 verbs: ["get", "list", "watch", "create", "delete"] 4559 - apiGroups: ["networking.k8s.io"] 4560 resources: ["ingresses"] 4561 verbs: ["get", "list", "watch", "create", "delete", "update"] 4562 - apiGroups: [ "gateway.networking.k8s.io" ] 4563 resources: [ "httproutes" ] 4564 verbs: ["get", "list", "watch", "create", "delete", "update"] 4565 # We require the ability to specify a custom hostname when we are creating 4566 # new ingress resources. 4567 # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148 4568 - apiGroups: ["route.openshift.io"] 4569 resources: ["routes/custom-host"] 4570 verbs: ["create"] 4571 # We require these rules to support users with the OwnerReferencesPermissionEnforcement 4572 # admission controller enabled: 4573 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement 4574 - apiGroups: ["acme.cert-manager.io"] 4575 resources: ["challenges/finalizers"] 4576 verbs: ["update"] 4577 # DNS01 rules (duplicated above) 4578 - apiGroups: [""] 4579 resources: ["secrets"] 4580 verbs: ["get", "list", "watch"] 4581 --- 4582 # Source: cert-manager/templates/rbac.yaml 4583 # ingress-shim controller role 4584 apiVersion: rbac.authorization.k8s.io/v1 4585 kind: ClusterRole 4586 metadata: 4587 name: cert-manager-controller-ingress-shim 4588 labels: 4589 app: cert-manager 4590 app.kubernetes.io/name: cert-manager 4591 app.kubernetes.io/instance: cert-manager 4592 app.kubernetes.io/component: "controller" 4593 app.kubernetes.io/version: "v1.11.0" 4594 rules: 4595 - apiGroups: ["cert-manager.io"] 4596 resources: ["certificates", "certificaterequests"] 4597 verbs: ["create", "update", "delete"] 4598 - apiGroups: ["cert-manager.io"] 4599 resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"] 4600 verbs: ["get", "list", "watch"] 4601 - apiGroups: ["networking.k8s.io"] 4602 resources: ["ingresses"] 4603 verbs: ["get", "list", "watch"] 4604 # We require these rules to support users with the OwnerReferencesPermissionEnforcement 4605 # admission controller enabled: 4606 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement 4607 - apiGroups: ["networking.k8s.io"] 4608 resources: ["ingresses/finalizers"] 4609 verbs: ["update"] 4610 - apiGroups: ["gateway.networking.k8s.io"] 4611 resources: ["gateways", "httproutes"] 4612 verbs: ["get", "list", "watch"] 4613 - apiGroups: ["gateway.networking.k8s.io"] 4614 resources: ["gateways/finalizers", "httproutes/finalizers"] 4615 verbs: ["update"] 4616 - apiGroups: [""] 4617 resources: ["events"] 4618 verbs: ["create", "patch"] 4619 --- 4620 # Source: cert-manager/templates/rbac.yaml 4621 apiVersion: rbac.authorization.k8s.io/v1 4622 kind: ClusterRole 4623 metadata: 4624 name: cert-manager-view 4625 labels: 4626 app: cert-manager 4627 app.kubernetes.io/name: cert-manager 4628 app.kubernetes.io/instance: cert-manager 4629 app.kubernetes.io/component: "controller" 4630 app.kubernetes.io/version: "v1.11.0" 4631 rbac.authorization.k8s.io/aggregate-to-view: "true" 4632 rbac.authorization.k8s.io/aggregate-to-edit: "true" 4633 rbac.authorization.k8s.io/aggregate-to-admin: "true" 4634 rules: 4635 - apiGroups: ["cert-manager.io"] 4636 resources: ["certificates", "certificaterequests", "issuers"] 4637 verbs: ["get", "list", "watch"] 4638 - apiGroups: ["acme.cert-manager.io"] 4639 resources: ["challenges", "orders"] 4640 verbs: ["get", "list", "watch"] 4641 --- 4642 # Source: cert-manager/templates/rbac.yaml 4643 apiVersion: rbac.authorization.k8s.io/v1 4644 kind: ClusterRole 4645 metadata: 4646 name: cert-manager-edit 4647 labels: 4648 app: cert-manager 4649 app.kubernetes.io/name: cert-manager 4650 app.kubernetes.io/instance: cert-manager 4651 app.kubernetes.io/component: "controller" 4652 app.kubernetes.io/version: "v1.11.0" 4653 rbac.authorization.k8s.io/aggregate-to-edit: "true" 4654 rbac.authorization.k8s.io/aggregate-to-admin: "true" 4655 rules: 4656 - apiGroups: ["cert-manager.io"] 4657 resources: ["certificates", "certificaterequests", "issuers"] 4658 verbs: ["create", "delete", "deletecollection", "patch", "update"] 4659 - apiGroups: ["cert-manager.io"] 4660 resources: ["certificates/status"] 4661 verbs: ["update"] 4662 - apiGroups: ["acme.cert-manager.io"] 4663 resources: ["challenges", "orders"] 4664 verbs: ["create", "delete", "deletecollection", "patch", "update"] 4665 --- 4666 # Source: cert-manager/templates/rbac.yaml 4667 # Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers 4668 apiVersion: rbac.authorization.k8s.io/v1 4669 kind: ClusterRole 4670 metadata: 4671 name: cert-manager-controller-approve:cert-manager-io 4672 labels: 4673 app: cert-manager 4674 app.kubernetes.io/name: cert-manager 4675 app.kubernetes.io/instance: cert-manager 4676 app.kubernetes.io/component: "cert-manager" 4677 app.kubernetes.io/version: "v1.11.0" 4678 rules: 4679 - apiGroups: ["cert-manager.io"] 4680 resources: ["signers"] 4681 verbs: ["approve"] 4682 resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"] 4683 --- 4684 # Source: cert-manager/templates/rbac.yaml 4685 # Permission to: 4686 # - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers 4687 # - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers 4688 apiVersion: rbac.authorization.k8s.io/v1 4689 kind: ClusterRole 4690 metadata: 4691 name: cert-manager-controller-certificatesigningrequests 4692 labels: 4693 app: cert-manager 4694 app.kubernetes.io/name: cert-manager 4695 app.kubernetes.io/instance: cert-manager 4696 app.kubernetes.io/component: "cert-manager" 4697 app.kubernetes.io/version: "v1.11.0" 4698 rules: 4699 - apiGroups: ["certificates.k8s.io"] 4700 resources: ["certificatesigningrequests"] 4701 verbs: ["get", "list", "watch", "update"] 4702 - apiGroups: ["certificates.k8s.io"] 4703 resources: ["certificatesigningrequests/status"] 4704 verbs: ["update", "patch"] 4705 - apiGroups: ["certificates.k8s.io"] 4706 resources: ["signers"] 4707 resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"] 4708 verbs: ["sign"] 4709 - apiGroups: ["authorization.k8s.io"] 4710 resources: ["subjectaccessreviews"] 4711 verbs: ["create"] 4712 --- 4713 # Source: cert-manager/templates/webhook-rbac.yaml 4714 apiVersion: rbac.authorization.k8s.io/v1 4715 kind: ClusterRole 4716 metadata: 4717 name: cert-manager-webhook:subjectaccessreviews 4718 labels: 4719 app: webhook 4720 app.kubernetes.io/name: webhook 4721 app.kubernetes.io/instance: cert-manager 4722 app.kubernetes.io/component: "webhook" 4723 app.kubernetes.io/version: "v1.11.0" 4724 rules: 4725 - apiGroups: ["authorization.k8s.io"] 4726 resources: ["subjectaccessreviews"] 4727 verbs: ["create"] 4728 --- 4729 # Source: cert-manager/templates/cainjector-rbac.yaml 4730 apiVersion: rbac.authorization.k8s.io/v1 4731 kind: ClusterRoleBinding 4732 metadata: 4733 name: cert-manager-cainjector 4734 labels: 4735 app: cainjector 4736 app.kubernetes.io/name: cainjector 4737 app.kubernetes.io/instance: cert-manager 4738 app.kubernetes.io/component: "cainjector" 4739 app.kubernetes.io/version: "v1.11.0" 4740 roleRef: 4741 apiGroup: rbac.authorization.k8s.io 4742 kind: ClusterRole 4743 name: cert-manager-cainjector 4744 subjects: 4745 - name: cert-manager-cainjector 4746 namespace: "cert-manager" 4747 kind: ServiceAccount 4748 --- 4749 # Source: cert-manager/templates/rbac.yaml 4750 apiVersion: rbac.authorization.k8s.io/v1 4751 kind: ClusterRoleBinding 4752 metadata: 4753 name: cert-manager-controller-issuers 4754 labels: 4755 app: cert-manager 4756 app.kubernetes.io/name: cert-manager 4757 app.kubernetes.io/instance: cert-manager 4758 app.kubernetes.io/component: "controller" 4759 app.kubernetes.io/version: "v1.11.0" 4760 roleRef: 4761 apiGroup: rbac.authorization.k8s.io 4762 kind: ClusterRole 4763 name: cert-manager-controller-issuers 4764 subjects: 4765 - name: cert-manager 4766 namespace: "cert-manager" 4767 kind: ServiceAccount 4768 --- 4769 # Source: cert-manager/templates/rbac.yaml 4770 apiVersion: rbac.authorization.k8s.io/v1 4771 kind: ClusterRoleBinding 4772 metadata: 4773 name: cert-manager-controller-clusterissuers 4774 labels: 4775 app: cert-manager 4776 app.kubernetes.io/name: cert-manager 4777 app.kubernetes.io/instance: cert-manager 4778 app.kubernetes.io/component: "controller" 4779 app.kubernetes.io/version: "v1.11.0" 4780 roleRef: 4781 apiGroup: rbac.authorization.k8s.io 4782 kind: ClusterRole 4783 name: cert-manager-controller-clusterissuers 4784 subjects: 4785 - name: cert-manager 4786 namespace: "cert-manager" 4787 kind: ServiceAccount 4788 --- 4789 # Source: cert-manager/templates/rbac.yaml 4790 apiVersion: rbac.authorization.k8s.io/v1 4791 kind: ClusterRoleBinding 4792 metadata: 4793 name: cert-manager-controller-certificates 4794 labels: 4795 app: cert-manager 4796 app.kubernetes.io/name: cert-manager 4797 app.kubernetes.io/instance: cert-manager 4798 app.kubernetes.io/component: "controller" 4799 app.kubernetes.io/version: "v1.11.0" 4800 roleRef: 4801 apiGroup: rbac.authorization.k8s.io 4802 kind: ClusterRole 4803 name: cert-manager-controller-certificates 4804 subjects: 4805 - name: cert-manager 4806 namespace: "cert-manager" 4807 kind: ServiceAccount 4808 --- 4809 # Source: cert-manager/templates/rbac.yaml 4810 apiVersion: rbac.authorization.k8s.io/v1 4811 kind: ClusterRoleBinding 4812 metadata: 4813 name: cert-manager-controller-orders 4814 labels: 4815 app: cert-manager 4816 app.kubernetes.io/name: cert-manager 4817 app.kubernetes.io/instance: cert-manager 4818 app.kubernetes.io/component: "controller" 4819 app.kubernetes.io/version: "v1.11.0" 4820 roleRef: 4821 apiGroup: rbac.authorization.k8s.io 4822 kind: ClusterRole 4823 name: cert-manager-controller-orders 4824 subjects: 4825 - name: cert-manager 4826 namespace: "cert-manager" 4827 kind: ServiceAccount 4828 --- 4829 # Source: cert-manager/templates/rbac.yaml 4830 apiVersion: rbac.authorization.k8s.io/v1 4831 kind: ClusterRoleBinding 4832 metadata: 4833 name: cert-manager-controller-challenges 4834 labels: 4835 app: cert-manager 4836 app.kubernetes.io/name: cert-manager 4837 app.kubernetes.io/instance: cert-manager 4838 app.kubernetes.io/component: "controller" 4839 app.kubernetes.io/version: "v1.11.0" 4840 roleRef: 4841 apiGroup: rbac.authorization.k8s.io 4842 kind: ClusterRole 4843 name: cert-manager-controller-challenges 4844 subjects: 4845 - name: cert-manager 4846 namespace: "cert-manager" 4847 kind: ServiceAccount 4848 --- 4849 # Source: cert-manager/templates/rbac.yaml 4850 apiVersion: rbac.authorization.k8s.io/v1 4851 kind: ClusterRoleBinding 4852 metadata: 4853 name: cert-manager-controller-ingress-shim 4854 labels: 4855 app: cert-manager 4856 app.kubernetes.io/name: cert-manager 4857 app.kubernetes.io/instance: cert-manager 4858 app.kubernetes.io/component: "controller" 4859 app.kubernetes.io/version: "v1.11.0" 4860 roleRef: 4861 apiGroup: rbac.authorization.k8s.io 4862 kind: ClusterRole 4863 name: cert-manager-controller-ingress-shim 4864 subjects: 4865 - name: cert-manager 4866 namespace: "cert-manager" 4867 kind: ServiceAccount 4868 --- 4869 # Source: cert-manager/templates/rbac.yaml 4870 apiVersion: rbac.authorization.k8s.io/v1 4871 kind: ClusterRoleBinding 4872 metadata: 4873 name: cert-manager-controller-approve:cert-manager-io 4874 labels: 4875 app: cert-manager 4876 app.kubernetes.io/name: cert-manager 4877 app.kubernetes.io/instance: cert-manager 4878 app.kubernetes.io/component: "cert-manager" 4879 app.kubernetes.io/version: "v1.11.0" 4880 roleRef: 4881 apiGroup: rbac.authorization.k8s.io 4882 kind: ClusterRole 4883 name: cert-manager-controller-approve:cert-manager-io 4884 subjects: 4885 - name: cert-manager 4886 namespace: "cert-manager" 4887 kind: ServiceAccount 4888 --- 4889 # Source: cert-manager/templates/rbac.yaml 4890 apiVersion: rbac.authorization.k8s.io/v1 4891 kind: ClusterRoleBinding 4892 metadata: 4893 name: cert-manager-controller-certificatesigningrequests 4894 labels: 4895 app: cert-manager 4896 app.kubernetes.io/name: cert-manager 4897 app.kubernetes.io/instance: cert-manager 4898 app.kubernetes.io/component: "cert-manager" 4899 app.kubernetes.io/version: "v1.11.0" 4900 roleRef: 4901 apiGroup: rbac.authorization.k8s.io 4902 kind: ClusterRole 4903 name: cert-manager-controller-certificatesigningrequests 4904 subjects: 4905 - name: cert-manager 4906 namespace: "cert-manager" 4907 kind: ServiceAccount 4908 --- 4909 # Source: cert-manager/templates/webhook-rbac.yaml 4910 apiVersion: rbac.authorization.k8s.io/v1 4911 kind: ClusterRoleBinding 4912 metadata: 4913 name: cert-manager-webhook:subjectaccessreviews 4914 labels: 4915 app: webhook 4916 app.kubernetes.io/name: webhook 4917 app.kubernetes.io/instance: cert-manager 4918 app.kubernetes.io/component: "webhook" 4919 app.kubernetes.io/version: "v1.11.0" 4920 roleRef: 4921 apiGroup: rbac.authorization.k8s.io 4922 kind: ClusterRole 4923 name: cert-manager-webhook:subjectaccessreviews 4924 subjects: 4925 - apiGroup: "" 4926 kind: ServiceAccount 4927 name: cert-manager-webhook 4928 namespace: cert-manager 4929 --- 4930 # Source: cert-manager/templates/cainjector-rbac.yaml 4931 # leader election rules 4932 apiVersion: rbac.authorization.k8s.io/v1 4933 kind: Role 4934 metadata: 4935 name: cert-manager-cainjector:leaderelection 4936 namespace: kube-system 4937 labels: 4938 app: cainjector 4939 app.kubernetes.io/name: cainjector 4940 app.kubernetes.io/instance: cert-manager 4941 app.kubernetes.io/component: "cainjector" 4942 app.kubernetes.io/version: "v1.11.0" 4943 rules: 4944 # Used for leader election by the controller 4945 # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller 4946 # see cmd/cainjector/start.go#L113 4947 # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller 4948 # see cmd/cainjector/start.go#L137 4949 - apiGroups: ["coordination.k8s.io"] 4950 resources: ["leases"] 4951 resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"] 4952 verbs: ["get", "update", "patch"] 4953 - apiGroups: ["coordination.k8s.io"] 4954 resources: ["leases"] 4955 verbs: ["create"] 4956 --- 4957 # Source: cert-manager/templates/rbac.yaml 4958 apiVersion: rbac.authorization.k8s.io/v1 4959 kind: Role 4960 metadata: 4961 name: cert-manager:leaderelection 4962 namespace: kube-system 4963 labels: 4964 app: cert-manager 4965 app.kubernetes.io/name: cert-manager 4966 app.kubernetes.io/instance: cert-manager 4967 app.kubernetes.io/component: "controller" 4968 app.kubernetes.io/version: "v1.11.0" 4969 rules: 4970 - apiGroups: ["coordination.k8s.io"] 4971 resources: ["leases"] 4972 resourceNames: ["cert-manager-controller"] 4973 verbs: ["get", "update", "patch"] 4974 - apiGroups: ["coordination.k8s.io"] 4975 resources: ["leases"] 4976 verbs: ["create"] 4977 --- 4978 # Source: cert-manager/templates/webhook-rbac.yaml 4979 apiVersion: rbac.authorization.k8s.io/v1 4980 kind: Role 4981 metadata: 4982 name: cert-manager-webhook:dynamic-serving 4983 namespace: "cert-manager" 4984 labels: 4985 app: webhook 4986 app.kubernetes.io/name: webhook 4987 app.kubernetes.io/instance: cert-manager 4988 app.kubernetes.io/component: "webhook" 4989 app.kubernetes.io/version: "v1.11.0" 4990 rules: 4991 - apiGroups: [""] 4992 resources: ["secrets"] 4993 resourceNames: 4994 - 'cert-manager-webhook-ca' 4995 verbs: ["get", "list", "watch", "update"] 4996 # It's not possible to grant CREATE permission on a single resourceName. 4997 - apiGroups: [""] 4998 resources: ["secrets"] 4999 verbs: ["create"] 5000 --- 5001 # Source: cert-manager/templates/cainjector-rbac.yaml 5002 # grant cert-manager permission to manage the leaderelection configmap in the 5003 # leader election namespace 5004 apiVersion: rbac.authorization.k8s.io/v1 5005 kind: RoleBinding 5006 metadata: 5007 name: cert-manager-cainjector:leaderelection 5008 namespace: kube-system 5009 labels: 5010 app: cainjector 5011 app.kubernetes.io/name: cainjector 5012 app.kubernetes.io/instance: cert-manager 5013 app.kubernetes.io/component: "cainjector" 5014 app.kubernetes.io/version: "v1.11.0" 5015 roleRef: 5016 apiGroup: rbac.authorization.k8s.io 5017 kind: Role 5018 name: cert-manager-cainjector:leaderelection 5019 subjects: 5020 - kind: ServiceAccount 5021 name: cert-manager-cainjector 5022 namespace: cert-manager 5023 --- 5024 # Source: cert-manager/templates/rbac.yaml 5025 # grant cert-manager permission to manage the leaderelection configmap in the 5026 # leader election namespace 5027 apiVersion: rbac.authorization.k8s.io/v1 5028 kind: RoleBinding 5029 metadata: 5030 name: cert-manager:leaderelection 5031 namespace: kube-system 5032 labels: 5033 app: cert-manager 5034 app.kubernetes.io/name: cert-manager 5035 app.kubernetes.io/instance: cert-manager 5036 app.kubernetes.io/component: "controller" 5037 app.kubernetes.io/version: "v1.11.0" 5038 roleRef: 5039 apiGroup: rbac.authorization.k8s.io 5040 kind: Role 5041 name: cert-manager:leaderelection 5042 subjects: 5043 - apiGroup: "" 5044 kind: ServiceAccount 5045 name: cert-manager 5046 namespace: cert-manager 5047 --- 5048 # Source: cert-manager/templates/webhook-rbac.yaml 5049 apiVersion: rbac.authorization.k8s.io/v1 5050 kind: RoleBinding 5051 metadata: 5052 name: cert-manager-webhook:dynamic-serving 5053 namespace: "cert-manager" 5054 labels: 5055 app: webhook 5056 app.kubernetes.io/name: webhook 5057 app.kubernetes.io/instance: cert-manager 5058 app.kubernetes.io/component: "webhook" 5059 app.kubernetes.io/version: "v1.11.0" 5060 roleRef: 5061 apiGroup: rbac.authorization.k8s.io 5062 kind: Role 5063 name: cert-manager-webhook:dynamic-serving 5064 subjects: 5065 - apiGroup: "" 5066 kind: ServiceAccount 5067 name: cert-manager-webhook 5068 namespace: cert-manager 5069 --- 5070 # Source: cert-manager/templates/service.yaml 5071 apiVersion: v1 5072 kind: Service 5073 metadata: 5074 name: cert-manager 5075 namespace: "cert-manager" 5076 labels: 5077 app: cert-manager 5078 app.kubernetes.io/name: cert-manager 5079 app.kubernetes.io/instance: cert-manager 5080 app.kubernetes.io/component: "controller" 5081 app.kubernetes.io/version: "v1.11.0" 5082 spec: 5083 type: ClusterIP 5084 ports: 5085 - protocol: TCP 5086 port: 9402 5087 name: tcp-prometheus-servicemonitor 5088 targetPort: 9402 5089 selector: 5090 app.kubernetes.io/name: cert-manager 5091 app.kubernetes.io/instance: cert-manager 5092 app.kubernetes.io/component: "controller" 5093 --- 5094 # Source: cert-manager/templates/webhook-service.yaml 5095 apiVersion: v1 5096 kind: Service 5097 metadata: 5098 name: cert-manager-webhook 5099 namespace: "cert-manager" 5100 labels: 5101 app: webhook 5102 app.kubernetes.io/name: webhook 5103 app.kubernetes.io/instance: cert-manager 5104 app.kubernetes.io/component: "webhook" 5105 app.kubernetes.io/version: "v1.11.0" 5106 spec: 5107 type: ClusterIP 5108 ports: 5109 - name: https 5110 port: 443 5111 protocol: TCP 5112 targetPort: "https" 5113 selector: 5114 app.kubernetes.io/name: webhook 5115 app.kubernetes.io/instance: cert-manager 5116 app.kubernetes.io/component: "webhook" 5117 --- 5118 # Source: cert-manager/templates/cainjector-deployment.yaml 5119 apiVersion: apps/v1 5120 kind: Deployment 5121 metadata: 5122 name: cert-manager-cainjector 5123 namespace: "cert-manager" 5124 labels: 5125 app: cainjector 5126 app.kubernetes.io/name: cainjector 5127 app.kubernetes.io/instance: cert-manager 5128 app.kubernetes.io/component: "cainjector" 5129 app.kubernetes.io/version: "v1.11.0" 5130 spec: 5131 replicas: 1 5132 selector: 5133 matchLabels: 5134 app.kubernetes.io/name: cainjector 5135 app.kubernetes.io/instance: cert-manager 5136 app.kubernetes.io/component: "cainjector" 5137 template: 5138 metadata: 5139 labels: 5140 app: cainjector 5141 app.kubernetes.io/name: cainjector 5142 app.kubernetes.io/instance: cert-manager 5143 app.kubernetes.io/component: "cainjector" 5144 app.kubernetes.io/version: "v1.11.0" 5145 spec: 5146 serviceAccountName: cert-manager-cainjector 5147 securityContext: 5148 runAsNonRoot: true 5149 containers: 5150 - name: cert-manager 5151 image: "quay.io/jetstack/cert-manager-cainjector:v1.11.0" 5152 imagePullPolicy: IfNotPresent 5153 args: 5154 - --v=2 5155 - --leader-election-namespace=kube-system 5156 env: 5157 - name: POD_NAMESPACE 5158 valueFrom: 5159 fieldRef: 5160 fieldPath: metadata.namespace 5161 securityContext: 5162 allowPrivilegeEscalation: false 5163 nodeSelector: 5164 kubernetes.io/os: linux 5165 --- 5166 # Source: cert-manager/templates/deployment.yaml 5167 apiVersion: apps/v1 5168 kind: Deployment 5169 metadata: 5170 name: cert-manager 5171 namespace: "cert-manager" 5172 labels: 5173 app: cert-manager 5174 app.kubernetes.io/name: cert-manager 5175 app.kubernetes.io/instance: cert-manager 5176 app.kubernetes.io/component: "controller" 5177 app.kubernetes.io/version: "v1.11.0" 5178 spec: 5179 replicas: 1 5180 selector: 5181 matchLabels: 5182 app.kubernetes.io/name: cert-manager 5183 app.kubernetes.io/instance: cert-manager 5184 app.kubernetes.io/component: "controller" 5185 template: 5186 metadata: 5187 labels: 5188 app: cert-manager 5189 app.kubernetes.io/name: cert-manager 5190 app.kubernetes.io/instance: cert-manager 5191 app.kubernetes.io/component: "controller" 5192 app.kubernetes.io/version: "v1.11.0" 5193 annotations: 5194 prometheus.io/path: "/metrics" 5195 prometheus.io/scrape: 'true' 5196 prometheus.io/port: '9402' 5197 spec: 5198 serviceAccountName: cert-manager 5199 securityContext: 5200 5201 runAsNonRoot: true 5202 containers: 5203 - name: cert-manager 5204 image: "quay.io/jetstack/cert-manager-controller:v1.11.0" 5205 imagePullPolicy: IfNotPresent 5206 args: 5207 - --v=2 5208 - --cluster-resource-namespace=$(POD_NAMESPACE) 5209 - --leader-election-namespace=kube-system 5210 ports: 5211 - containerPort: 9402 5212 name: http-metrics 5213 protocol: TCP 5214 securityContext: 5215 allowPrivilegeEscalation: false 5216 env: 5217 - name: POD_NAMESPACE 5218 valueFrom: 5219 fieldRef: 5220 fieldPath: metadata.namespace 5221 nodeSelector: 5222 kubernetes.io/os: linux 5223 --- 5224 # Source: cert-manager/templates/webhook-deployment.yaml 5225 apiVersion: apps/v1 5226 kind: Deployment 5227 metadata: 5228 name: cert-manager-webhook 5229 namespace: "cert-manager" 5230 labels: 5231 app: webhook 5232 app.kubernetes.io/name: webhook 5233 app.kubernetes.io/instance: cert-manager 5234 app.kubernetes.io/component: "webhook" 5235 app.kubernetes.io/version: "v1.11.0" 5236 spec: 5237 replicas: 1 5238 selector: 5239 matchLabels: 5240 app.kubernetes.io/name: webhook 5241 app.kubernetes.io/instance: cert-manager 5242 app.kubernetes.io/component: "webhook" 5243 template: 5244 metadata: 5245 labels: 5246 app: webhook 5247 app.kubernetes.io/name: webhook 5248 app.kubernetes.io/instance: cert-manager 5249 app.kubernetes.io/component: "webhook" 5250 app.kubernetes.io/version: "v1.11.0" 5251 spec: 5252 serviceAccountName: cert-manager-webhook 5253 securityContext: 5254 runAsNonRoot: true 5255 containers: 5256 - name: cert-manager 5257 image: "quay.io/jetstack/cert-manager-webhook:v1.11.0" 5258 imagePullPolicy: IfNotPresent 5259 args: 5260 - --v=2 5261 - --secure-port=10250 5262 - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE) 5263 - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca 5264 - --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc 5265 ports: 5266 - name: https 5267 protocol: TCP 5268 containerPort: 10250 5269 livenessProbe: 5270 httpGet: 5271 path: /livez 5272 port: 6080 5273 scheme: HTTP 5274 initialDelaySeconds: 60 5275 periodSeconds: 10 5276 timeoutSeconds: 1 5277 successThreshold: 1 5278 failureThreshold: 3 5279 readinessProbe: 5280 httpGet: 5281 path: /healthz 5282 port: 6080 5283 scheme: HTTP 5284 initialDelaySeconds: 5 5285 periodSeconds: 5 5286 timeoutSeconds: 1 5287 successThreshold: 1 5288 failureThreshold: 3 5289 securityContext: 5290 allowPrivilegeEscalation: false 5291 env: 5292 - name: POD_NAMESPACE 5293 valueFrom: 5294 fieldRef: 5295 fieldPath: metadata.namespace 5296 nodeSelector: 5297 kubernetes.io/os: linux 5298 --- 5299 # Source: cert-manager/templates/webhook-mutating-webhook.yaml 5300 apiVersion: admissionregistration.k8s.io/v1 5301 kind: MutatingWebhookConfiguration 5302 metadata: 5303 name: cert-manager-webhook 5304 labels: 5305 app: webhook 5306 app.kubernetes.io/name: webhook 5307 app.kubernetes.io/instance: cert-manager 5308 app.kubernetes.io/component: "webhook" 5309 app.kubernetes.io/version: "v1.11.0" 5310 annotations: 5311 cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca" 5312 webhooks: 5313 - name: webhook.cert-manager.io 5314 rules: 5315 - apiGroups: 5316 - "cert-manager.io" 5317 - "acme.cert-manager.io" 5318 apiVersions: 5319 - "v1" 5320 operations: 5321 - CREATE 5322 - UPDATE 5323 resources: 5324 - "*/*" 5325 admissionReviewVersions: ["v1"] 5326 # This webhook only accepts v1 cert-manager resources. 5327 # Equivalent matchPolicy ensures that non-v1 resource requests are sent to 5328 # this webhook (after the resources have been converted to v1). 5329 matchPolicy: Equivalent 5330 timeoutSeconds: 10 5331 failurePolicy: Fail 5332 # Only include 'sideEffects' field in Kubernetes 1.12+ 5333 sideEffects: None 5334 clientConfig: 5335 service: 5336 name: cert-manager-webhook 5337 namespace: "cert-manager" 5338 path: /mutate 5339 --- 5340 # Source: cert-manager/templates/webhook-validating-webhook.yaml 5341 apiVersion: admissionregistration.k8s.io/v1 5342 kind: ValidatingWebhookConfiguration 5343 metadata: 5344 name: cert-manager-webhook 5345 labels: 5346 app: webhook 5347 app.kubernetes.io/name: webhook 5348 app.kubernetes.io/instance: cert-manager 5349 app.kubernetes.io/component: "webhook" 5350 app.kubernetes.io/version: "v1.11.0" 5351 annotations: 5352 cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca" 5353 webhooks: 5354 - name: webhook.cert-manager.io 5355 namespaceSelector: 5356 matchExpressions: 5357 - key: "cert-manager.io/disable-validation" 5358 operator: "NotIn" 5359 values: 5360 - "true" 5361 - key: "name" 5362 operator: "NotIn" 5363 values: 5364 - cert-manager 5365 rules: 5366 - apiGroups: 5367 - "cert-manager.io" 5368 - "acme.cert-manager.io" 5369 apiVersions: 5370 - "v1" 5371 operations: 5372 - CREATE 5373 - UPDATE 5374 resources: 5375 - "*/*" 5376 admissionReviewVersions: ["v1"] 5377 # This webhook only accepts v1 cert-manager resources. 5378 # Equivalent matchPolicy ensures that non-v1 resource requests are sent to 5379 # this webhook (after the resources have been converted to v1). 5380 matchPolicy: Equivalent 5381 timeoutSeconds: 10 5382 failurePolicy: Fail 5383 sideEffects: None 5384 clientConfig: 5385 service: 5386 name: cert-manager-webhook 5387 namespace: "cert-manager" 5388 path: /validate