github.com/replicatedhq/ship@v0.55.0/integration/init/cert-manager/expected/.ship/upstream/deploy/manifests/cert-manager.yaml (about) 1 apiVersion: apiextensions.k8s.io/v1beta1 2 kind: CustomResourceDefinition 3 metadata: 4 creationTimestamp: null 5 labels: 6 controller-tools.k8s.io: "1.0" 7 name: certificates.certmanager.k8s.io 8 spec: 9 additionalPrinterColumns: 10 - JSONPath: .status.conditions[?(@.type==\"Ready\")].status 11 name: Ready 12 type: string 13 - JSONPath: .spec.secretName 14 name: Secret 15 type: string 16 - JSONPath: .spec.issuerRef.name 17 name: Issuer 18 priority: 1 19 type: string 20 - JSONPath: .status.conditions[?(@.type==\"Ready\")].message 21 name: Status 22 priority: 1 23 type: string 24 - JSONPath: .metadata.creationTimestamp 25 description: CreationTimestamp is a timestamp representing the server time when 26 this object was created. It is not guaranteed to be set in happens-before order 27 across separate operations. Clients may not set this value. It is represented 28 in RFC3339 form and is in UTC. 29 name: Age 30 type: date 31 group: certmanager.k8s.io 32 names: 33 kind: Certificate 34 plural: certificates 35 shortNames: 36 - cert 37 - certs 38 scope: Namespaced 39 validation: 40 openAPIV3Schema: 41 properties: 42 apiVersion: 43 description: 'APIVersion defines the versioned schema of this representation 44 of an object. Servers should convert recognized schemas to the latest 45 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' 46 type: string 47 kind: 48 description: 'Kind is a string value representing the REST resource this 49 object represents. Servers may infer this from the endpoint the client 50 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' 51 type: string 52 metadata: 53 type: object 54 spec: 55 properties: 56 acme: 57 description: ACME contains configuration specific to ACME Certificates. 58 Notably, this contains details on how the domain names listed on this 59 Certificate resource should be 'solved', i.e. mapping HTTP01 and DNS01 60 providers to DNS names. 61 properties: 62 config: 63 items: 64 properties: 65 domains: 66 description: Domains is the list of domains that this SolverConfig 67 applies to. 68 items: 69 type: string 70 type: array 71 required: 72 - domains 73 type: object 74 type: array 75 required: 76 - config 77 type: object 78 commonName: 79 description: CommonName is a common name to be used on the Certificate 80 type: string 81 dnsNames: 82 description: DNSNames is a list of subject alt names to be used on the 83 Certificate 84 items: 85 type: string 86 type: array 87 duration: 88 description: Certificate default Duration 89 type: string 90 ipAddresses: 91 description: IPAddresses is a list of IP addresses to be used on the 92 Certificate 93 items: 94 type: string 95 type: array 96 isCA: 97 description: IsCA will mark this Certificate as valid for signing. This 98 implies that the 'signing' usage is set 99 type: boolean 100 issuerRef: 101 description: IssuerRef is a reference to the issuer for this certificate. 102 If the 'kind' field is not set, or set to 'Issuer', an Issuer resource 103 with the given name in the same namespace as the Certificate will 104 be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer 105 with the provided name will be used. The 'name' field in this stanza 106 is required at all times. 107 properties: 108 kind: 109 type: string 110 name: 111 type: string 112 required: 113 - name 114 type: object 115 keyAlgorithm: 116 description: KeyAlgorithm is the private key algorithm of the corresponding 117 private key for this certificate. If provided, allowed values are 118 either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize is 119 not provided, key size of 256 will be used for "ecdsa" key algorithm 120 and key size of 2048 will be used for "rsa" key algorithm. 121 enum: 122 - rsa 123 - ecdsa 124 type: string 125 keySize: 126 description: KeySize is the key bit size of the corresponding private 127 key for this certificate. If provided, value must be between 2048 128 and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa", 129 and value must be one of (256, 384, 521) when KeyAlgorithm is set 130 to "ecdsa". 131 format: int64 132 type: integer 133 organization: 134 description: Organization is the organization to be used on the Certificate 135 items: 136 type: string 137 type: array 138 renewBefore: 139 description: Certificate renew before expiration duration 140 type: string 141 secretName: 142 description: SecretName is the name of the secret resource to store 143 this secret in 144 type: string 145 required: 146 - secretName 147 - issuerRef 148 type: object 149 status: 150 properties: 151 conditions: 152 items: 153 properties: 154 lastTransitionTime: 155 description: LastTransitionTime is the timestamp corresponding 156 to the last status change of this condition. 157 format: date-time 158 type: string 159 message: 160 description: Message is a human readable description of the details 161 of the last transition, complementing reason. 162 type: string 163 reason: 164 description: Reason is a brief machine readable explanation for 165 the condition's last transition. 166 type: string 167 status: 168 description: Status of the condition, one of ('True', 'False', 169 'Unknown'). 170 enum: 171 - "True" 172 - "False" 173 - Unknown 174 type: string 175 type: 176 description: Type of the condition, currently ('Ready'). 177 type: string 178 required: 179 - type 180 - status 181 - lastTransitionTime 182 - reason 183 - message 184 type: object 185 type: array 186 lastFailureTime: 187 format: date-time 188 type: string 189 notAfter: 190 description: The expiration time of the certificate stored in the secret 191 named by this resource in spec.secretName. 192 format: date-time 193 type: string 194 type: object 195 version: v1alpha1 196 status: 197 acceptedNames: 198 kind: "" 199 plural: "" 200 conditions: [] 201 storedVersions: [] 202 --- 203 apiVersion: apiextensions.k8s.io/v1beta1 204 kind: CustomResourceDefinition 205 metadata: 206 creationTimestamp: null 207 labels: 208 controller-tools.k8s.io: "1.0" 209 name: challenges.certmanager.k8s.io 210 spec: 211 additionalPrinterColumns: 212 - JSONPath: .status.state 213 name: State 214 type: string 215 - JSONPath: .spec.dnsName 216 name: Domain 217 type: string 218 - JSONPath: .status.reason 219 name: Reason 220 priority: 1 221 type: string 222 - JSONPath: .metadata.creationTimestamp 223 description: CreationTimestamp is a timestamp representing the server time when 224 this object was created. It is not guaranteed to be set in happens-before order 225 across separate operations. Clients may not set this value. It is represented 226 in RFC3339 form and is in UTC. 227 name: Age 228 type: date 229 group: certmanager.k8s.io 230 names: 231 kind: Challenge 232 plural: challenges 233 scope: Namespaced 234 validation: 235 openAPIV3Schema: 236 properties: 237 apiVersion: 238 description: 'APIVersion defines the versioned schema of this representation 239 of an object. Servers should convert recognized schemas to the latest 240 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' 241 type: string 242 kind: 243 description: 'Kind is a string value representing the REST resource this 244 object represents. Servers may infer this from the endpoint the client 245 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' 246 type: string 247 metadata: 248 type: object 249 spec: 250 properties: 251 authzURL: 252 description: AuthzURL is the URL to the ACME Authorization resource 253 that this challenge is a part of. 254 type: string 255 config: 256 description: Config specifies the solver configuration for this challenge. 257 type: object 258 dnsName: 259 description: DNSName is the identifier that this challenge is for, e.g. 260 example.com. 261 type: string 262 issuerRef: 263 description: IssuerRef references a properly configured ACME-type Issuer 264 which should be used to create this Challenge. If the Issuer does 265 not exist, processing will be retried. If the Issuer is not an 'ACME' 266 Issuer, an error will be returned and the Challenge will be marked 267 as failed. 268 properties: 269 kind: 270 type: string 271 name: 272 type: string 273 required: 274 - name 275 type: object 276 key: 277 description: Key is the ACME challenge key for this challenge 278 type: string 279 token: 280 description: Token is the ACME challenge token for this challenge. 281 type: string 282 type: 283 description: Type is the type of ACME challenge this resource represents, 284 e.g. "dns01" or "http01" 285 type: string 286 url: 287 description: URL is the URL of the ACME Challenge resource for this 288 challenge. This can be used to lookup details about the status of 289 this challenge. 290 type: string 291 wildcard: 292 description: Wildcard will be true if this challenge is for a wildcard 293 identifier, for example '*.example.com' 294 type: boolean 295 required: 296 - authzURL 297 - type 298 - url 299 - dnsName 300 - token 301 - key 302 - wildcard 303 - config 304 - issuerRef 305 type: object 306 status: 307 properties: 308 presented: 309 description: Presented will be set to true if the challenge values for 310 this challenge are currently 'presented'. This *does not* imply the 311 self check is passing. Only that the values have been 'submitted' 312 for the appropriate challenge mechanism (i.e. the DNS01 TXT record 313 has been presented, or the HTTP01 configuration has been configured). 314 type: boolean 315 processing: 316 description: Processing is used to denote whether this challenge should 317 be processed or not. This field will only be set to true by the 'scheduling' 318 component. It will only be set to false by the 'challenges' controller, 319 after the challenge has reached a final state or timed out. If this 320 field is set to false, the challenge controller will not take any 321 more action. 322 type: boolean 323 reason: 324 description: Reason contains human readable information on why the Challenge 325 is in the current state. 326 type: string 327 state: 328 description: State contains the current 'state' of the challenge. If 329 not set, the state of the challenge is unknown. 330 enum: 331 - "" 332 - valid 333 - ready 334 - pending 335 - processing 336 - invalid 337 - expired 338 - errored 339 type: string 340 required: 341 - processing 342 - presented 343 - reason 344 type: object 345 required: 346 - metadata 347 - spec 348 - status 349 version: v1alpha1 350 status: 351 acceptedNames: 352 kind: "" 353 plural: "" 354 conditions: [] 355 storedVersions: [] 356 --- 357 apiVersion: apiextensions.k8s.io/v1beta1 358 kind: CustomResourceDefinition 359 metadata: 360 creationTimestamp: null 361 labels: 362 controller-tools.k8s.io: "1.0" 363 name: clusterissuers.certmanager.k8s.io 364 spec: 365 group: certmanager.k8s.io 366 names: 367 kind: ClusterIssuer 368 plural: clusterissuers 369 scope: Cluster 370 validation: 371 openAPIV3Schema: 372 properties: 373 apiVersion: 374 description: 'APIVersion defines the versioned schema of this representation 375 of an object. Servers should convert recognized schemas to the latest 376 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' 377 type: string 378 kind: 379 description: 'Kind is a string value representing the REST resource this 380 object represents. Servers may infer this from the endpoint the client 381 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' 382 type: string 383 metadata: 384 type: object 385 spec: 386 properties: 387 acme: 388 properties: 389 email: 390 description: Email is the email for this account 391 type: string 392 privateKeySecretRef: 393 description: PrivateKey is the name of a secret containing the private 394 key for this user account. 395 properties: 396 key: 397 description: The key of the secret to select from. Must be a 398 valid secret key. 399 type: string 400 name: 401 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 402 TODO: Add other useful fields. apiVersion, kind, uid?' 403 type: string 404 required: 405 - name 406 type: object 407 server: 408 description: Server is the ACME server URL 409 type: string 410 skipTLSVerify: 411 description: If true, skip verifying the ACME server TLS certificate 412 type: boolean 413 required: 414 - email 415 - server 416 - privateKeySecretRef 417 type: object 418 ca: 419 properties: 420 secretName: 421 description: SecretName is the name of the secret used to sign Certificates 422 issued by this Issuer. 423 type: string 424 required: 425 - secretName 426 type: object 427 selfSigned: 428 type: object 429 vault: 430 properties: 431 auth: 432 description: Vault authentication 433 properties: 434 appRole: 435 description: This Secret contains a AppRole and Secret 436 properties: 437 path: 438 description: Where the authentication path is mounted in 439 Vault. 440 type: string 441 roleId: 442 type: string 443 secretRef: 444 properties: 445 key: 446 description: The key of the secret to select from. Must 447 be a valid secret key. 448 type: string 449 name: 450 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 451 TODO: Add other useful fields. apiVersion, kind, uid?' 452 type: string 453 required: 454 - name 455 type: object 456 required: 457 - path 458 - roleId 459 - secretRef 460 type: object 461 tokenSecretRef: 462 description: This Secret contains the Vault token key 463 properties: 464 key: 465 description: The key of the secret to select from. Must 466 be a valid secret key. 467 type: string 468 name: 469 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 470 TODO: Add other useful fields. apiVersion, kind, uid?' 471 type: string 472 required: 473 - name 474 type: object 475 type: object 476 caBundle: 477 description: Base64 encoded CA bundle to validate Vault server certificate. 478 Only used if the Server URL is using HTTPS protocol. This parameter 479 is ignored for plain HTTP protocol connection. If not set the 480 system root certificates are used to validate the TLS connection. 481 format: byte 482 type: string 483 path: 484 description: Vault URL path to the certificate role 485 type: string 486 server: 487 description: Server is the vault connection address 488 type: string 489 required: 490 - auth 491 - server 492 - path 493 type: object 494 venafi: 495 properties: 496 cloud: 497 description: Cloud specifies the Venafi cloud configuration settings. 498 Only one of TPP or Cloud may be specified. 499 properties: 500 apiTokenSecretRef: 501 description: APITokenSecretRef is a secret key selector for 502 the Venafi Cloud API token. 503 properties: 504 key: 505 description: The key of the secret to select from. Must 506 be a valid secret key. 507 type: string 508 name: 509 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 510 TODO: Add other useful fields. apiVersion, kind, uid?' 511 type: string 512 required: 513 - name 514 type: object 515 url: 516 description: URL is the base URL for Venafi Cloud 517 type: string 518 required: 519 - url 520 - apiTokenSecretRef 521 type: object 522 tpp: 523 description: TPP specifies Trust Protection Platform configuration 524 settings. Only one of TPP or Cloud may be specified. 525 properties: 526 caBundle: 527 description: CABundle is a PEM encoded TLS certifiate to use 528 to verify connections to the TPP instance. If specified, system 529 roots will not be used and the issuing CA for the TPP instance 530 must be verifiable using the provided root. If not specified, 531 the connection will be verified using the cert-manager system 532 root certificates. 533 format: byte 534 type: string 535 credentialsRef: 536 description: CredentialsRef is a reference to a Secret containing 537 the username and password for the TPP server. The secret must 538 contain two keys, 'username' and 'password'. 539 properties: 540 name: 541 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 542 TODO: Add other useful fields. apiVersion, kind, uid?' 543 type: string 544 required: 545 - name 546 type: object 547 url: 548 description: URL is the base URL for the Venafi TPP instance 549 type: string 550 required: 551 - url 552 - credentialsRef 553 type: object 554 zone: 555 description: Zone is the Venafi Policy Zone to use for this issuer. 556 All requests made to the Venafi platform will be restricted by 557 the named zone policy. This field is required. 558 type: string 559 required: 560 - zone 561 type: object 562 type: object 563 status: 564 properties: 565 acme: 566 properties: 567 uri: 568 description: URI is the unique account identifier, which can also 569 be used to retrieve account details from the CA 570 type: string 571 type: object 572 conditions: 573 items: 574 properties: 575 lastTransitionTime: 576 description: LastTransitionTime is the timestamp corresponding 577 to the last status change of this condition. 578 format: date-time 579 type: string 580 message: 581 description: Message is a human readable description of the details 582 of the last transition, complementing reason. 583 type: string 584 reason: 585 description: Reason is a brief machine readable explanation for 586 the condition's last transition. 587 type: string 588 status: 589 description: Status of the condition, one of ('True', 'False', 590 'Unknown'). 591 enum: 592 - "True" 593 - "False" 594 - Unknown 595 type: string 596 type: 597 description: Type of the condition, currently ('Ready'). 598 type: string 599 required: 600 - type 601 - status 602 - lastTransitionTime 603 - reason 604 - message 605 type: object 606 type: array 607 type: object 608 version: v1alpha1 609 status: 610 acceptedNames: 611 kind: "" 612 plural: "" 613 conditions: [] 614 storedVersions: [] 615 --- 616 apiVersion: apiextensions.k8s.io/v1beta1 617 kind: CustomResourceDefinition 618 metadata: 619 creationTimestamp: null 620 labels: 621 controller-tools.k8s.io: "1.0" 622 name: issuers.certmanager.k8s.io 623 spec: 624 group: certmanager.k8s.io 625 names: 626 kind: Issuer 627 plural: issuers 628 scope: Namespaced 629 validation: 630 openAPIV3Schema: 631 properties: 632 apiVersion: 633 description: 'APIVersion defines the versioned schema of this representation 634 of an object. Servers should convert recognized schemas to the latest 635 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' 636 type: string 637 kind: 638 description: 'Kind is a string value representing the REST resource this 639 object represents. Servers may infer this from the endpoint the client 640 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' 641 type: string 642 metadata: 643 type: object 644 spec: 645 properties: 646 acme: 647 properties: 648 email: 649 description: Email is the email for this account 650 type: string 651 privateKeySecretRef: 652 description: PrivateKey is the name of a secret containing the private 653 key for this user account. 654 properties: 655 key: 656 description: The key of the secret to select from. Must be a 657 valid secret key. 658 type: string 659 name: 660 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 661 TODO: Add other useful fields. apiVersion, kind, uid?' 662 type: string 663 required: 664 - name 665 type: object 666 server: 667 description: Server is the ACME server URL 668 type: string 669 skipTLSVerify: 670 description: If true, skip verifying the ACME server TLS certificate 671 type: boolean 672 required: 673 - email 674 - server 675 - privateKeySecretRef 676 type: object 677 ca: 678 properties: 679 secretName: 680 description: SecretName is the name of the secret used to sign Certificates 681 issued by this Issuer. 682 type: string 683 required: 684 - secretName 685 type: object 686 selfSigned: 687 type: object 688 vault: 689 properties: 690 auth: 691 description: Vault authentication 692 properties: 693 appRole: 694 description: This Secret contains a AppRole and Secret 695 properties: 696 path: 697 description: Where the authentication path is mounted in 698 Vault. 699 type: string 700 roleId: 701 type: string 702 secretRef: 703 properties: 704 key: 705 description: The key of the secret to select from. Must 706 be a valid secret key. 707 type: string 708 name: 709 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 710 TODO: Add other useful fields. apiVersion, kind, uid?' 711 type: string 712 required: 713 - name 714 type: object 715 required: 716 - path 717 - roleId 718 - secretRef 719 type: object 720 tokenSecretRef: 721 description: This Secret contains the Vault token key 722 properties: 723 key: 724 description: The key of the secret to select from. Must 725 be a valid secret key. 726 type: string 727 name: 728 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 729 TODO: Add other useful fields. apiVersion, kind, uid?' 730 type: string 731 required: 732 - name 733 type: object 734 type: object 735 caBundle: 736 description: Base64 encoded CA bundle to validate Vault server certificate. 737 Only used if the Server URL is using HTTPS protocol. This parameter 738 is ignored for plain HTTP protocol connection. If not set the 739 system root certificates are used to validate the TLS connection. 740 format: byte 741 type: string 742 path: 743 description: Vault URL path to the certificate role 744 type: string 745 server: 746 description: Server is the vault connection address 747 type: string 748 required: 749 - auth 750 - server 751 - path 752 type: object 753 venafi: 754 properties: 755 cloud: 756 description: Cloud specifies the Venafi cloud configuration settings. 757 Only one of TPP or Cloud may be specified. 758 properties: 759 apiTokenSecretRef: 760 description: APITokenSecretRef is a secret key selector for 761 the Venafi Cloud API token. 762 properties: 763 key: 764 description: The key of the secret to select from. Must 765 be a valid secret key. 766 type: string 767 name: 768 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 769 TODO: Add other useful fields. apiVersion, kind, uid?' 770 type: string 771 required: 772 - name 773 type: object 774 url: 775 description: URL is the base URL for Venafi Cloud 776 type: string 777 required: 778 - url 779 - apiTokenSecretRef 780 type: object 781 tpp: 782 description: TPP specifies Trust Protection Platform configuration 783 settings. Only one of TPP or Cloud may be specified. 784 properties: 785 caBundle: 786 description: CABundle is a PEM encoded TLS certifiate to use 787 to verify connections to the TPP instance. If specified, system 788 roots will not be used and the issuing CA for the TPP instance 789 must be verifiable using the provided root. If not specified, 790 the connection will be verified using the cert-manager system 791 root certificates. 792 format: byte 793 type: string 794 credentialsRef: 795 description: CredentialsRef is a reference to a Secret containing 796 the username and password for the TPP server. The secret must 797 contain two keys, 'username' and 'password'. 798 properties: 799 name: 800 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 801 TODO: Add other useful fields. apiVersion, kind, uid?' 802 type: string 803 required: 804 - name 805 type: object 806 url: 807 description: URL is the base URL for the Venafi TPP instance 808 type: string 809 required: 810 - url 811 - credentialsRef 812 type: object 813 zone: 814 description: Zone is the Venafi Policy Zone to use for this issuer. 815 All requests made to the Venafi platform will be restricted by 816 the named zone policy. This field is required. 817 type: string 818 required: 819 - zone 820 type: object 821 type: object 822 status: 823 properties: 824 acme: 825 properties: 826 uri: 827 description: URI is the unique account identifier, which can also 828 be used to retrieve account details from the CA 829 type: string 830 type: object 831 conditions: 832 items: 833 properties: 834 lastTransitionTime: 835 description: LastTransitionTime is the timestamp corresponding 836 to the last status change of this condition. 837 format: date-time 838 type: string 839 message: 840 description: Message is a human readable description of the details 841 of the last transition, complementing reason. 842 type: string 843 reason: 844 description: Reason is a brief machine readable explanation for 845 the condition's last transition. 846 type: string 847 status: 848 description: Status of the condition, one of ('True', 'False', 849 'Unknown'). 850 enum: 851 - "True" 852 - "False" 853 - Unknown 854 type: string 855 type: 856 description: Type of the condition, currently ('Ready'). 857 type: string 858 required: 859 - type 860 - status 861 - lastTransitionTime 862 - reason 863 - message 864 type: object 865 type: array 866 type: object 867 version: v1alpha1 868 status: 869 acceptedNames: 870 kind: "" 871 plural: "" 872 conditions: [] 873 storedVersions: [] 874 --- 875 apiVersion: apiextensions.k8s.io/v1beta1 876 kind: CustomResourceDefinition 877 metadata: 878 creationTimestamp: null 879 labels: 880 controller-tools.k8s.io: "1.0" 881 name: orders.certmanager.k8s.io 882 spec: 883 additionalPrinterColumns: 884 - JSONPath: .status.state 885 name: State 886 type: string 887 - JSONPath: .spec.issuerRef.name 888 name: Issuer 889 priority: 1 890 type: string 891 - JSONPath: .status.reason 892 name: Reason 893 priority: 1 894 type: string 895 - JSONPath: .metadata.creationTimestamp 896 description: CreationTimestamp is a timestamp representing the server time when 897 this object was created. It is not guaranteed to be set in happens-before order 898 across separate operations. Clients may not set this value. It is represented 899 in RFC3339 form and is in UTC. 900 name: Age 901 type: date 902 group: certmanager.k8s.io 903 names: 904 kind: Order 905 plural: orders 906 scope: Namespaced 907 validation: 908 openAPIV3Schema: 909 properties: 910 apiVersion: 911 description: 'APIVersion defines the versioned schema of this representation 912 of an object. Servers should convert recognized schemas to the latest 913 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' 914 type: string 915 kind: 916 description: 'Kind is a string value representing the REST resource this 917 object represents. Servers may infer this from the endpoint the client 918 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' 919 type: string 920 metadata: 921 type: object 922 spec: 923 properties: 924 commonName: 925 description: CommonName is the common name as specified on the DER encoded 926 CSR. If CommonName is not specified, the first DNSName specified will 927 be used as the CommonName. At least one of CommonName or a DNSNames 928 must be set. This field must match the corresponding field on the 929 DER encoded CSR. 930 type: string 931 config: 932 description: Config specifies a mapping from DNS identifiers to how 933 those identifiers should be solved when performing ACME challenges. 934 A config entry must exist for each domain listed in DNSNames and CommonName. 935 items: 936 properties: 937 domains: 938 description: Domains is the list of domains that this SolverConfig 939 applies to. 940 items: 941 type: string 942 type: array 943 required: 944 - domains 945 type: object 946 type: array 947 csr: 948 description: Certificate signing request bytes in DER encoding. This 949 will be used when finalizing the order. This field must be set on 950 the order. 951 format: byte 952 type: string 953 dnsNames: 954 description: DNSNames is a list of DNS names that should be included 955 as part of the Order validation process. If CommonName is not specified, 956 the first DNSName specified will be used as the CommonName. At least 957 one of CommonName or a DNSNames must be set. This field must match 958 the corresponding field on the DER encoded CSR. 959 items: 960 type: string 961 type: array 962 issuerRef: 963 description: IssuerRef references a properly configured ACME-type Issuer 964 which should be used to create this Order. If the Issuer does not 965 exist, processing will be retried. If the Issuer is not an 'ACME' 966 Issuer, an error will be returned and the Order will be marked as 967 failed. 968 properties: 969 kind: 970 type: string 971 name: 972 type: string 973 required: 974 - name 975 type: object 976 required: 977 - csr 978 - issuerRef 979 - config 980 type: object 981 status: 982 properties: 983 certificate: 984 description: Certificate is a copy of the PEM encoded certificate for 985 this Order. This field will be populated after the order has been 986 successfully finalized with the ACME server, and the order has transitioned 987 to the 'valid' state. 988 format: byte 989 type: string 990 challenges: 991 description: Challenges is a list of ChallengeSpecs for Challenges that 992 must be created in order to complete this Order. 993 items: 994 properties: 995 authzURL: 996 description: AuthzURL is the URL to the ACME Authorization resource 997 that this challenge is a part of. 998 type: string 999 config: 1000 description: Config specifies the solver configuration for this 1001 challenge. 1002 type: object 1003 dnsName: 1004 description: DNSName is the identifier that this challenge is 1005 for, e.g. example.com. 1006 type: string 1007 issuerRef: 1008 description: IssuerRef references a properly configured ACME-type 1009 Issuer which should be used to create this Challenge. If the 1010 Issuer does not exist, processing will be retried. If the Issuer 1011 is not an 'ACME' Issuer, an error will be returned and the Challenge 1012 will be marked as failed. 1013 properties: 1014 kind: 1015 type: string 1016 name: 1017 type: string 1018 required: 1019 - name 1020 type: object 1021 key: 1022 description: Key is the ACME challenge key for this challenge 1023 type: string 1024 token: 1025 description: Token is the ACME challenge token for this challenge. 1026 type: string 1027 type: 1028 description: Type is the type of ACME challenge this resource 1029 represents, e.g. "dns01" or "http01" 1030 type: string 1031 url: 1032 description: URL is the URL of the ACME Challenge resource for 1033 this challenge. This can be used to lookup details about the 1034 status of this challenge. 1035 type: string 1036 wildcard: 1037 description: Wildcard will be true if this challenge is for a 1038 wildcard identifier, for example '*.example.com' 1039 type: boolean 1040 required: 1041 - authzURL 1042 - type 1043 - url 1044 - dnsName 1045 - token 1046 - key 1047 - wildcard 1048 - config 1049 - issuerRef 1050 type: object 1051 type: array 1052 failureTime: 1053 description: FailureTime stores the time that this order failed. This 1054 is used to influence garbage collection and back-off. 1055 format: date-time 1056 type: string 1057 finalizeURL: 1058 description: FinalizeURL of the Order. This is used to obtain certificates 1059 for this order once it has been completed. 1060 type: string 1061 reason: 1062 description: Reason optionally provides more information about a why 1063 the order is in the current state. 1064 type: string 1065 state: 1066 description: State contains the current state of this Order resource. 1067 States 'success' and 'expired' are 'final' 1068 enum: 1069 - "" 1070 - valid 1071 - ready 1072 - pending 1073 - processing 1074 - invalid 1075 - expired 1076 - errored 1077 type: string 1078 url: 1079 description: URL of the Order. This will initially be empty when the 1080 resource is first created. The Order controller will populate this 1081 field when the Order is first processed. This field will be immutable 1082 after it is initially set. 1083 type: string 1084 type: object 1085 required: 1086 - metadata 1087 - spec 1088 - status 1089 version: v1alpha1 1090 status: 1091 acceptedNames: 1092 kind: "" 1093 plural: "" 1094 conditions: [] 1095 storedVersions: [] 1096 --- 1097 apiVersion: v1 1098 kind: Namespace 1099 metadata: 1100 name: cert-manager 1101 labels: 1102 certmanager.k8s.io/disable-validation: "true" 1103 1104 --- 1105 --- 1106 # Source: cert-manager/charts/cainjector/templates/serviceaccount.yaml 1107 apiVersion: v1 1108 kind: ServiceAccount 1109 metadata: 1110 name: cert-manager-cainjector 1111 namespace: "cert-manager" 1112 labels: 1113 app: cainjector 1114 chart: cainjector-v0.7.0 1115 release: cert-manager 1116 heritage: Tiller 1117 1118 --- 1119 # Source: cert-manager/charts/webhook/templates/serviceaccount.yaml 1120 apiVersion: v1 1121 kind: ServiceAccount 1122 metadata: 1123 name: cert-manager-webhook 1124 namespace: "cert-manager" 1125 labels: 1126 app: webhook 1127 chart: webhook-v0.7.0 1128 release: cert-manager 1129 heritage: Tiller 1130 1131 --- 1132 # Source: cert-manager/templates/serviceaccount.yaml 1133 apiVersion: v1 1134 kind: ServiceAccount 1135 metadata: 1136 name: cert-manager 1137 namespace: "cert-manager" 1138 labels: 1139 app: cert-manager 1140 chart: cert-manager-v0.7.0 1141 release: cert-manager 1142 heritage: Tiller 1143 --- 1144 # Source: cert-manager/charts/cainjector/templates/rbac.yaml 1145 apiVersion: rbac.authorization.k8s.io/v1beta1 1146 kind: ClusterRole 1147 metadata: 1148 name: cert-manager-cainjector 1149 labels: 1150 app: cainjector 1151 chart: cainjector-v0.7.0 1152 release: cert-manager 1153 heritage: Tiller 1154 rules: 1155 - apiGroups: ["certmanager.k8s.io"] 1156 resources: ["certificates"] 1157 verbs: ["get", "list", "watch"] 1158 - apiGroups: [""] 1159 resources: ["secrets"] 1160 verbs: ["get", "list", "watch"] 1161 - apiGroups: [""] 1162 resources: ["configmaps", "events"] 1163 verbs: ["*"] 1164 - apiGroups: ["admissionregistration.k8s.io"] 1165 resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] 1166 verbs: ["*"] 1167 - apiGroups: ["apiregistration.k8s.io"] 1168 resources: ["apiservices"] 1169 verbs: ["*"] 1170 --- 1171 apiVersion: rbac.authorization.k8s.io/v1beta1 1172 kind: ClusterRoleBinding 1173 metadata: 1174 name: cert-manager-cainjector 1175 labels: 1176 app: cainjector 1177 chart: cainjector-v0.7.0 1178 release: cert-manager 1179 heritage: Tiller 1180 roleRef: 1181 apiGroup: rbac.authorization.k8s.io 1182 kind: ClusterRole 1183 name: cert-manager-cainjector 1184 subjects: 1185 - name: cert-manager-cainjector 1186 namespace: "cert-manager" 1187 kind: ServiceAccount 1188 --- 1189 # Source: cert-manager/templates/rbac.yaml 1190 apiVersion: rbac.authorization.k8s.io/v1beta1 1191 kind: ClusterRole 1192 metadata: 1193 name: cert-manager 1194 labels: 1195 app: cert-manager 1196 chart: cert-manager-v0.7.0 1197 release: cert-manager 1198 heritage: Tiller 1199 rules: 1200 - apiGroups: ["certmanager.k8s.io"] 1201 resources: ["certificates", "certificates/finalizers", "issuers", "clusterissuers", "orders", "orders/finalizers", "challenges"] 1202 verbs: ["*"] 1203 - apiGroups: [""] 1204 resources: ["configmaps", "secrets", "events", "services", "pods"] 1205 verbs: ["*"] 1206 - apiGroups: ["extensions"] 1207 resources: ["ingresses"] 1208 verbs: ["*"] 1209 --- 1210 apiVersion: rbac.authorization.k8s.io/v1beta1 1211 kind: ClusterRoleBinding 1212 metadata: 1213 name: cert-manager 1214 labels: 1215 app: cert-manager 1216 chart: cert-manager-v0.7.0 1217 release: cert-manager 1218 heritage: Tiller 1219 roleRef: 1220 apiGroup: rbac.authorization.k8s.io 1221 kind: ClusterRole 1222 name: cert-manager 1223 subjects: 1224 - name: cert-manager 1225 namespace: "cert-manager" 1226 kind: ServiceAccount 1227 --- 1228 apiVersion: rbac.authorization.k8s.io/v1 1229 kind: ClusterRole 1230 metadata: 1231 name: cert-manager-view 1232 labels: 1233 app: cert-manager 1234 chart: cert-manager-v0.7.0 1235 release: cert-manager 1236 heritage: Tiller 1237 rbac.authorization.k8s.io/aggregate-to-view: "true" 1238 rbac.authorization.k8s.io/aggregate-to-edit: "true" 1239 rbac.authorization.k8s.io/aggregate-to-admin: "true" 1240 rules: 1241 - apiGroups: ["certmanager.k8s.io"] 1242 resources: ["certificates", "issuers"] 1243 verbs: ["get", "list", "watch"] 1244 --- 1245 apiVersion: rbac.authorization.k8s.io/v1 1246 kind: ClusterRole 1247 metadata: 1248 name: cert-manager-edit 1249 labels: 1250 app: cert-manager 1251 chart: cert-manager-v0.7.0 1252 release: cert-manager 1253 heritage: Tiller 1254 rbac.authorization.k8s.io/aggregate-to-edit: "true" 1255 rbac.authorization.k8s.io/aggregate-to-admin: "true" 1256 rules: 1257 - apiGroups: ["certmanager.k8s.io"] 1258 resources: ["certificates", "issuers"] 1259 verbs: ["create", "delete", "deletecollection", "patch", "update"] 1260 --- 1261 # Source: cert-manager/charts/webhook/templates/rbac.yaml 1262 ### Webhook ### 1263 --- 1264 # apiserver gets the auth-delegator role to delegate auth decisions to 1265 # the core apiserver 1266 apiVersion: rbac.authorization.k8s.io/v1beta1 1267 kind: ClusterRoleBinding 1268 metadata: 1269 name: cert-manager-webhook:auth-delegator 1270 labels: 1271 app: webhook 1272 chart: webhook-v0.7.0 1273 release: cert-manager 1274 heritage: Tiller 1275 roleRef: 1276 apiGroup: rbac.authorization.k8s.io 1277 kind: ClusterRole 1278 name: system:auth-delegator 1279 subjects: 1280 - apiGroup: "" 1281 kind: ServiceAccount 1282 name: cert-manager-webhook 1283 namespace: cert-manager 1284 1285 --- 1286 1287 # apiserver gets the ability to read authentication. This allows it to 1288 # read the specific configmap that has the requestheader-* entries to 1289 # api agg 1290 apiVersion: rbac.authorization.k8s.io/v1beta1 1291 kind: RoleBinding 1292 metadata: 1293 name: cert-manager-webhook:webhook-authentication-reader 1294 namespace: kube-system 1295 labels: 1296 app: webhook 1297 chart: webhook-v0.7.0 1298 release: cert-manager 1299 heritage: Tiller 1300 roleRef: 1301 apiGroup: rbac.authorization.k8s.io 1302 kind: Role 1303 name: extension-apiserver-authentication-reader 1304 subjects: 1305 - apiGroup: "" 1306 kind: ServiceAccount 1307 name: cert-manager-webhook 1308 namespace: cert-manager 1309 1310 --- 1311 1312 apiVersion: rbac.authorization.k8s.io/v1 1313 kind: ClusterRole 1314 metadata: 1315 name: cert-manager-webhook:webhook-requester 1316 labels: 1317 app: webhook 1318 chart: webhook-v0.7.0 1319 release: cert-manager 1320 heritage: Tiller 1321 rules: 1322 - apiGroups: 1323 - admission.certmanager.k8s.io 1324 resources: 1325 - certificates 1326 - issuers 1327 - clusterissuers 1328 verbs: 1329 - create 1330 --- 1331 # Source: cert-manager/charts/webhook/templates/service.yaml 1332 apiVersion: v1 1333 kind: Service 1334 metadata: 1335 name: cert-manager-webhook 1336 namespace: "cert-manager" 1337 labels: 1338 app: webhook 1339 chart: webhook-v0.7.0 1340 release: cert-manager 1341 heritage: Tiller 1342 spec: 1343 type: ClusterIP 1344 ports: 1345 - name: https 1346 port: 443 1347 targetPort: 6443 1348 selector: 1349 app: webhook 1350 release: cert-manager 1351 1352 --- 1353 # Source: cert-manager/charts/cainjector/templates/deployment.yaml 1354 apiVersion: apps/v1beta1 1355 kind: Deployment 1356 metadata: 1357 name: cert-manager-cainjector 1358 namespace: "cert-manager" 1359 labels: 1360 app: cainjector 1361 chart: cainjector-v0.7.0 1362 release: cert-manager 1363 heritage: Tiller 1364 spec: 1365 replicas: 1 1366 selector: 1367 matchLabels: 1368 app: cainjector 1369 release: cert-manager 1370 template: 1371 metadata: 1372 labels: 1373 app: cainjector 1374 release: cert-manager 1375 annotations: 1376 spec: 1377 serviceAccountName: cert-manager-cainjector 1378 containers: 1379 - name: cainjector 1380 image: "quay.io/jetstack/cert-manager-cainjector:v0.7.0" 1381 imagePullPolicy: IfNotPresent 1382 args: 1383 - --leader-election-namespace=$(POD_NAMESPACE) 1384 env: 1385 - name: POD_NAMESPACE 1386 valueFrom: 1387 fieldRef: 1388 fieldPath: metadata.namespace 1389 resources: 1390 {} 1391 1392 1393 --- 1394 # Source: cert-manager/charts/webhook/templates/deployment.yaml 1395 apiVersion: apps/v1beta1 1396 kind: Deployment 1397 metadata: 1398 name: cert-manager-webhook 1399 namespace: "cert-manager" 1400 labels: 1401 app: webhook 1402 chart: webhook-v0.7.0 1403 release: cert-manager 1404 heritage: Tiller 1405 spec: 1406 replicas: 1 1407 selector: 1408 matchLabels: 1409 app: webhook 1410 release: cert-manager 1411 template: 1412 metadata: 1413 labels: 1414 app: webhook 1415 release: cert-manager 1416 annotations: 1417 spec: 1418 serviceAccountName: cert-manager-webhook 1419 containers: 1420 - name: webhook 1421 image: "quay.io/jetstack/cert-manager-webhook:v0.7.0" 1422 imagePullPolicy: IfNotPresent 1423 args: 1424 - --v=12 1425 - --secure-port=6443 1426 - --tls-cert-file=/certs/tls.crt 1427 - --tls-private-key-file=/certs/tls.key 1428 env: 1429 - name: POD_NAMESPACE 1430 valueFrom: 1431 fieldRef: 1432 fieldPath: metadata.namespace 1433 resources: 1434 {} 1435 1436 volumeMounts: 1437 - name: certs 1438 mountPath: /certs 1439 volumes: 1440 - name: certs 1441 secret: 1442 secretName: cert-manager-webhook-webhook-tls 1443 1444 --- 1445 # Source: cert-manager/templates/deployment.yaml 1446 apiVersion: apps/v1beta1 1447 kind: Deployment 1448 metadata: 1449 name: cert-manager 1450 namespace: "cert-manager" 1451 labels: 1452 app: cert-manager 1453 chart: cert-manager-v0.7.0 1454 release: cert-manager 1455 heritage: Tiller 1456 spec: 1457 replicas: 1 1458 selector: 1459 matchLabels: 1460 app: cert-manager 1461 release: cert-manager 1462 template: 1463 metadata: 1464 labels: 1465 app: cert-manager 1466 release: cert-manager 1467 annotations: 1468 prometheus.io/path: "/metrics" 1469 prometheus.io/scrape: 'true' 1470 prometheus.io/port: '9402' 1471 spec: 1472 serviceAccountName: cert-manager 1473 containers: 1474 - name: cert-manager 1475 image: "quay.io/jetstack/cert-manager-controller:v0.7.0" 1476 imagePullPolicy: IfNotPresent 1477 args: 1478 - --cluster-resource-namespace=$(POD_NAMESPACE) 1479 - --leader-election-namespace=$(POD_NAMESPACE) 1480 ports: 1481 - containerPort: 9402 1482 env: 1483 - name: POD_NAMESPACE 1484 valueFrom: 1485 fieldRef: 1486 fieldPath: metadata.namespace 1487 resources: 1488 requests: 1489 cpu: 10m 1490 memory: 32Mi 1491 1492 1493 --- 1494 # Source: cert-manager/charts/webhook/templates/apiservice.yaml 1495 apiVersion: apiregistration.k8s.io/v1beta1 1496 kind: APIService 1497 metadata: 1498 name: v1beta1.admission.certmanager.k8s.io 1499 labels: 1500 app: webhook 1501 chart: webhook-v0.7.0 1502 release: cert-manager 1503 heritage: Tiller 1504 annotations: 1505 certmanager.k8s.io/inject-ca-from: "cert-manager/cert-manager-webhook-webhook-tls" 1506 spec: 1507 group: admission.certmanager.k8s.io 1508 groupPriorityMinimum: 1000 1509 versionPriority: 15 1510 service: 1511 name: cert-manager-webhook 1512 namespace: "cert-manager" 1513 version: v1beta1 1514 1515 --- 1516 # Source: cert-manager/charts/webhook/templates/pki.yaml 1517 --- 1518 # Create a selfsigned Issuer, in order to create a root CA certificate for 1519 # signing webhook serving certificates 1520 apiVersion: certmanager.k8s.io/v1alpha1 1521 kind: Issuer 1522 metadata: 1523 name: cert-manager-webhook-selfsign 1524 namespace: "cert-manager" 1525 labels: 1526 app: webhook 1527 chart: webhook-v0.7.0 1528 release: cert-manager 1529 heritage: Tiller 1530 spec: 1531 selfSigned: {} 1532 1533 --- 1534 1535 # Generate a CA Certificate used to sign certificates for the webhook 1536 apiVersion: certmanager.k8s.io/v1alpha1 1537 kind: Certificate 1538 metadata: 1539 name: cert-manager-webhook-ca 1540 namespace: "cert-manager" 1541 labels: 1542 app: webhook 1543 chart: webhook-v0.7.0 1544 release: cert-manager 1545 heritage: Tiller 1546 spec: 1547 secretName: cert-manager-webhook-ca 1548 duration: 43800h # 5y 1549 issuerRef: 1550 name: cert-manager-webhook-selfsign 1551 commonName: "ca.webhook.cert-manager" 1552 isCA: true 1553 1554 --- 1555 1556 # Create an Issuer that uses the above generated CA certificate to issue certs 1557 apiVersion: certmanager.k8s.io/v1alpha1 1558 kind: Issuer 1559 metadata: 1560 name: cert-manager-webhook-ca 1561 namespace: "cert-manager" 1562 labels: 1563 app: webhook 1564 chart: webhook-v0.7.0 1565 release: cert-manager 1566 heritage: Tiller 1567 spec: 1568 ca: 1569 secretName: cert-manager-webhook-ca 1570 1571 --- 1572 1573 # Finally, generate a serving certificate for the webhook to use 1574 apiVersion: certmanager.k8s.io/v1alpha1 1575 kind: Certificate 1576 metadata: 1577 name: cert-manager-webhook-webhook-tls 1578 namespace: "cert-manager" 1579 labels: 1580 app: webhook 1581 chart: webhook-v0.7.0 1582 release: cert-manager 1583 heritage: Tiller 1584 spec: 1585 secretName: cert-manager-webhook-webhook-tls 1586 duration: 8760h # 1y 1587 issuerRef: 1588 name: cert-manager-webhook-ca 1589 dnsNames: 1590 - cert-manager-webhook 1591 - cert-manager-webhook.cert-manager 1592 - cert-manager-webhook.cert-manager.svc 1593 1594 --- 1595 # Source: cert-manager/charts/webhook/templates/validating-webhook.yaml 1596 apiVersion: admissionregistration.k8s.io/v1beta1 1597 kind: ValidatingWebhookConfiguration 1598 metadata: 1599 name: cert-manager-webhook 1600 labels: 1601 app: webhook 1602 chart: webhook-v0.7.0 1603 release: cert-manager 1604 heritage: Tiller 1605 annotations: 1606 certmanager.k8s.io/inject-apiserver-ca: "true" 1607 webhooks: 1608 - name: certificates.admission.certmanager.k8s.io 1609 namespaceSelector: 1610 matchExpressions: 1611 - key: "certmanager.k8s.io/disable-validation" 1612 operator: "NotIn" 1613 values: 1614 - "true" 1615 - key: "name" 1616 operator: "NotIn" 1617 values: 1618 - cert-manager 1619 rules: 1620 - apiGroups: 1621 - "certmanager.k8s.io" 1622 apiVersions: 1623 - v1alpha1 1624 operations: 1625 - CREATE 1626 - UPDATE 1627 resources: 1628 - certificates 1629 failurePolicy: Fail 1630 clientConfig: 1631 service: 1632 name: kubernetes 1633 namespace: default 1634 path: /apis/admission.certmanager.k8s.io/v1beta1/certificates 1635 - name: issuers.admission.certmanager.k8s.io 1636 namespaceSelector: 1637 matchExpressions: 1638 - key: "certmanager.k8s.io/disable-validation" 1639 operator: "NotIn" 1640 values: 1641 - "true" 1642 - key: "name" 1643 operator: "NotIn" 1644 values: 1645 - cert-manager 1646 rules: 1647 - apiGroups: 1648 - "certmanager.k8s.io" 1649 apiVersions: 1650 - v1alpha1 1651 operations: 1652 - CREATE 1653 - UPDATE 1654 resources: 1655 - issuers 1656 failurePolicy: Fail 1657 clientConfig: 1658 service: 1659 name: kubernetes 1660 namespace: default 1661 path: /apis/admission.certmanager.k8s.io/v1beta1/issuers 1662 - name: clusterissuers.admission.certmanager.k8s.io 1663 namespaceSelector: 1664 matchExpressions: 1665 - key: "certmanager.k8s.io/disable-validation" 1666 operator: "NotIn" 1667 values: 1668 - "true" 1669 - key: "name" 1670 operator: "NotIn" 1671 values: 1672 - cert-manager 1673 rules: 1674 - apiGroups: 1675 - "certmanager.k8s.io" 1676 apiVersions: 1677 - v1alpha1 1678 operations: 1679 - CREATE 1680 - UPDATE 1681 resources: 1682 - clusterissuers 1683 failurePolicy: Fail 1684 clientConfig: 1685 service: 1686 name: kubernetes 1687 namespace: default 1688 path: /apis/admission.certmanager.k8s.io/v1beta1/clusterissuers 1689