github.com/replicatedhq/ship@v0.55.0/integration/init/cert-manager/expected/rendered.yaml (about) 1 apiVersion: v1 2 kind: Namespace 3 metadata: 4 labels: 5 certmanager.k8s.io/disable-validation: "true" 6 name: cert-manager 7 --- 8 apiVersion: apiextensions.k8s.io/v1beta1 9 kind: CustomResourceDefinition 10 metadata: 11 creationTimestamp: null 12 labels: 13 controller-tools.k8s.io: "1.0" 14 name: certificates.certmanager.k8s.io 15 spec: 16 additionalPrinterColumns: 17 - JSONPath: .status.conditions[?(@.type==\"Ready\")].status 18 name: Ready 19 type: string 20 - JSONPath: .spec.secretName 21 name: Secret 22 type: string 23 - JSONPath: .spec.issuerRef.name 24 name: Issuer 25 priority: 1 26 type: string 27 - JSONPath: .status.conditions[?(@.type==\"Ready\")].message 28 name: Status 29 priority: 1 30 type: string 31 - JSONPath: .metadata.creationTimestamp 32 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 33 name: Age 34 type: date 35 group: certmanager.k8s.io 36 names: 37 kind: Certificate 38 plural: certificates 39 shortNames: 40 - cert 41 - certs 42 scope: Namespaced 43 validation: 44 openAPIV3Schema: 45 properties: 46 apiVersion: 47 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' 48 type: string 49 kind: 50 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' 51 type: string 52 metadata: 53 type: object 54 spec: 55 properties: 56 acme: 57 description: ACME contains configuration specific to ACME Certificates. Notably, this contains details on how the domain names listed on this Certificate resource should be 'solved', i.e. mapping HTTP01 and DNS01 providers to DNS names. 58 properties: 59 config: 60 items: 61 properties: 62 domains: 63 description: Domains is the list of domains that this SolverConfig applies to. 64 items: 65 type: string 66 type: array 67 required: 68 - domains 69 type: object 70 type: array 71 required: 72 - config 73 type: object 74 commonName: 75 description: CommonName is a common name to be used on the Certificate 76 type: string 77 dnsNames: 78 description: DNSNames is a list of subject alt names to be used on the Certificate 79 items: 80 type: string 81 type: array 82 duration: 83 description: Certificate default Duration 84 type: string 85 ipAddresses: 86 description: IPAddresses is a list of IP addresses to be used on the Certificate 87 items: 88 type: string 89 type: array 90 isCA: 91 description: IsCA will mark this Certificate as valid for signing. This implies that the 'signing' usage is set 92 type: boolean 93 issuerRef: 94 description: IssuerRef is a reference to the issuer for this certificate. If the 'kind' field is not set, or set to 'Issuer', an Issuer resource with the given name in the same namespace as the Certificate will be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer with the provided name will be used. The 'name' field in this stanza is required at all times. 95 properties: 96 kind: 97 type: string 98 name: 99 type: string 100 required: 101 - name 102 type: object 103 keyAlgorithm: 104 description: KeyAlgorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize is not provided, key size of 256 will be used for "ecdsa" key algorithm and key size of 2048 will be used for "rsa" key algorithm. 105 enum: 106 - rsa 107 - ecdsa 108 type: string 109 keySize: 110 description: KeySize is the key bit size of the corresponding private key for this certificate. If provided, value must be between 2048 and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa", and value must be one of (256, 384, 521) when KeyAlgorithm is set to "ecdsa". 111 format: int64 112 type: integer 113 organization: 114 description: Organization is the organization to be used on the Certificate 115 items: 116 type: string 117 type: array 118 renewBefore: 119 description: Certificate renew before expiration duration 120 type: string 121 secretName: 122 description: SecretName is the name of the secret resource to store this secret in 123 type: string 124 required: 125 - secretName 126 - issuerRef 127 type: object 128 status: 129 properties: 130 conditions: 131 items: 132 properties: 133 lastTransitionTime: 134 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. 135 format: date-time 136 type: string 137 message: 138 description: Message is a human readable description of the details of the last transition, complementing reason. 139 type: string 140 reason: 141 description: Reason is a brief machine readable explanation for the condition's last transition. 142 type: string 143 status: 144 description: Status of the condition, one of ('True', 'False', 'Unknown'). 145 enum: 146 - "True" 147 - "False" 148 - Unknown 149 type: string 150 type: 151 description: Type of the condition, currently ('Ready'). 152 type: string 153 required: 154 - type 155 - status 156 - lastTransitionTime 157 - reason 158 - message 159 type: object 160 type: array 161 lastFailureTime: 162 format: date-time 163 type: string 164 notAfter: 165 description: The expiration time of the certificate stored in the secret named by this resource in spec.secretName. 166 format: date-time 167 type: string 168 type: object 169 version: v1alpha1 170 status: 171 acceptedNames: 172 kind: "" 173 plural: "" 174 conditions: [] 175 storedVersions: [] 176 --- 177 apiVersion: apiextensions.k8s.io/v1beta1 178 kind: CustomResourceDefinition 179 metadata: 180 creationTimestamp: null 181 labels: 182 controller-tools.k8s.io: "1.0" 183 name: challenges.certmanager.k8s.io 184 spec: 185 additionalPrinterColumns: 186 - JSONPath: .status.state 187 name: State 188 type: string 189 - JSONPath: .spec.dnsName 190 name: Domain 191 type: string 192 - JSONPath: .status.reason 193 name: Reason 194 priority: 1 195 type: string 196 - JSONPath: .metadata.creationTimestamp 197 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 198 name: Age 199 type: date 200 group: certmanager.k8s.io 201 names: 202 kind: Challenge 203 plural: challenges 204 scope: Namespaced 205 validation: 206 openAPIV3Schema: 207 properties: 208 apiVersion: 209 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' 210 type: string 211 kind: 212 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' 213 type: string 214 metadata: 215 type: object 216 spec: 217 properties: 218 authzURL: 219 description: AuthzURL is the URL to the ACME Authorization resource that this challenge is a part of. 220 type: string 221 config: 222 description: Config specifies the solver configuration for this challenge. 223 type: object 224 dnsName: 225 description: DNSName is the identifier that this challenge is for, e.g. example.com. 226 type: string 227 issuerRef: 228 description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed. 229 properties: 230 kind: 231 type: string 232 name: 233 type: string 234 required: 235 - name 236 type: object 237 key: 238 description: Key is the ACME challenge key for this challenge 239 type: string 240 token: 241 description: Token is the ACME challenge token for this challenge. 242 type: string 243 type: 244 description: Type is the type of ACME challenge this resource represents, e.g. "dns01" or "http01" 245 type: string 246 url: 247 description: URL is the URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge. 248 type: string 249 wildcard: 250 description: Wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com' 251 type: boolean 252 required: 253 - authzURL 254 - type 255 - url 256 - dnsName 257 - token 258 - key 259 - wildcard 260 - config 261 - issuerRef 262 type: object 263 status: 264 properties: 265 presented: 266 description: Presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured). 267 type: boolean 268 processing: 269 description: Processing is used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action. 270 type: boolean 271 reason: 272 description: Reason contains human readable information on why the Challenge is in the current state. 273 type: string 274 state: 275 description: State contains the current 'state' of the challenge. If not set, the state of the challenge is unknown. 276 enum: 277 - "" 278 - valid 279 - ready 280 - pending 281 - processing 282 - invalid 283 - expired 284 - errored 285 type: string 286 required: 287 - processing 288 - presented 289 - reason 290 type: object 291 required: 292 - metadata 293 - spec 294 - status 295 version: v1alpha1 296 status: 297 acceptedNames: 298 kind: "" 299 plural: "" 300 conditions: [] 301 storedVersions: [] 302 --- 303 apiVersion: apiextensions.k8s.io/v1beta1 304 kind: CustomResourceDefinition 305 metadata: 306 creationTimestamp: null 307 labels: 308 controller-tools.k8s.io: "1.0" 309 name: clusterissuers.certmanager.k8s.io 310 spec: 311 group: certmanager.k8s.io 312 names: 313 kind: ClusterIssuer 314 plural: clusterissuers 315 scope: Cluster 316 validation: 317 openAPIV3Schema: 318 properties: 319 apiVersion: 320 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' 321 type: string 322 kind: 323 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' 324 type: string 325 metadata: 326 type: object 327 spec: 328 properties: 329 acme: 330 properties: 331 email: 332 description: Email is the email for this account 333 type: string 334 privateKeySecretRef: 335 description: PrivateKey is the name of a secret containing the private key for this user account. 336 properties: 337 key: 338 description: The key of the secret to select from. Must be a valid secret key. 339 type: string 340 name: 341 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' 342 type: string 343 required: 344 - name 345 type: object 346 server: 347 description: Server is the ACME server URL 348 type: string 349 skipTLSVerify: 350 description: If true, skip verifying the ACME server TLS certificate 351 type: boolean 352 required: 353 - email 354 - server 355 - privateKeySecretRef 356 type: object 357 ca: 358 properties: 359 secretName: 360 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer. 361 type: string 362 required: 363 - secretName 364 type: object 365 selfSigned: 366 type: object 367 vault: 368 properties: 369 auth: 370 description: Vault authentication 371 properties: 372 appRole: 373 description: This Secret contains a AppRole and Secret 374 properties: 375 path: 376 description: Where the authentication path is mounted in Vault. 377 type: string 378 roleId: 379 type: string 380 secretRef: 381 properties: 382 key: 383 description: The key of the secret to select from. Must be a valid secret key. 384 type: string 385 name: 386 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' 387 type: string 388 required: 389 - name 390 type: object 391 required: 392 - path 393 - roleId 394 - secretRef 395 type: object 396 tokenSecretRef: 397 description: This Secret contains the Vault token key 398 properties: 399 key: 400 description: The key of the secret to select from. Must be a valid secret key. 401 type: string 402 name: 403 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' 404 type: string 405 required: 406 - name 407 type: object 408 type: object 409 caBundle: 410 description: Base64 encoded CA bundle to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. 411 format: byte 412 type: string 413 path: 414 description: Vault URL path to the certificate role 415 type: string 416 server: 417 description: Server is the vault connection address 418 type: string 419 required: 420 - auth 421 - server 422 - path 423 type: object 424 venafi: 425 properties: 426 cloud: 427 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified. 428 properties: 429 apiTokenSecretRef: 430 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. 431 properties: 432 key: 433 description: The key of the secret to select from. Must be a valid secret key. 434 type: string 435 name: 436 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' 437 type: string 438 required: 439 - name 440 type: object 441 url: 442 description: URL is the base URL for Venafi Cloud 443 type: string 444 required: 445 - url 446 - apiTokenSecretRef 447 type: object 448 tpp: 449 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified. 450 properties: 451 caBundle: 452 description: CABundle is a PEM encoded TLS certifiate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates. 453 format: byte 454 type: string 455 credentialsRef: 456 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'. 457 properties: 458 name: 459 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' 460 type: string 461 required: 462 - name 463 type: object 464 url: 465 description: URL is the base URL for the Venafi TPP instance 466 type: string 467 required: 468 - url 469 - credentialsRef 470 type: object 471 zone: 472 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required. 473 type: string 474 required: 475 - zone 476 type: object 477 type: object 478 status: 479 properties: 480 acme: 481 properties: 482 uri: 483 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA 484 type: string 485 type: object 486 conditions: 487 items: 488 properties: 489 lastTransitionTime: 490 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. 491 format: date-time 492 type: string 493 message: 494 description: Message is a human readable description of the details of the last transition, complementing reason. 495 type: string 496 reason: 497 description: Reason is a brief machine readable explanation for the condition's last transition. 498 type: string 499 status: 500 description: Status of the condition, one of ('True', 'False', 'Unknown'). 501 enum: 502 - "True" 503 - "False" 504 - Unknown 505 type: string 506 type: 507 description: Type of the condition, currently ('Ready'). 508 type: string 509 required: 510 - type 511 - status 512 - lastTransitionTime 513 - reason 514 - message 515 type: object 516 type: array 517 type: object 518 version: v1alpha1 519 status: 520 acceptedNames: 521 kind: "" 522 plural: "" 523 conditions: [] 524 storedVersions: [] 525 --- 526 apiVersion: apiextensions.k8s.io/v1beta1 527 kind: CustomResourceDefinition 528 metadata: 529 creationTimestamp: null 530 labels: 531 controller-tools.k8s.io: "1.0" 532 name: issuers.certmanager.k8s.io 533 spec: 534 group: certmanager.k8s.io 535 names: 536 kind: Issuer 537 plural: issuers 538 scope: Namespaced 539 validation: 540 openAPIV3Schema: 541 properties: 542 apiVersion: 543 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' 544 type: string 545 kind: 546 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' 547 type: string 548 metadata: 549 type: object 550 spec: 551 properties: 552 acme: 553 properties: 554 email: 555 description: Email is the email for this account 556 type: string 557 privateKeySecretRef: 558 description: PrivateKey is the name of a secret containing the private key for this user account. 559 properties: 560 key: 561 description: The key of the secret to select from. Must be a valid secret key. 562 type: string 563 name: 564 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' 565 type: string 566 required: 567 - name 568 type: object 569 server: 570 description: Server is the ACME server URL 571 type: string 572 skipTLSVerify: 573 description: If true, skip verifying the ACME server TLS certificate 574 type: boolean 575 required: 576 - email 577 - server 578 - privateKeySecretRef 579 type: object 580 ca: 581 properties: 582 secretName: 583 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer. 584 type: string 585 required: 586 - secretName 587 type: object 588 selfSigned: 589 type: object 590 vault: 591 properties: 592 auth: 593 description: Vault authentication 594 properties: 595 appRole: 596 description: This Secret contains a AppRole and Secret 597 properties: 598 path: 599 description: Where the authentication path is mounted in Vault. 600 type: string 601 roleId: 602 type: string 603 secretRef: 604 properties: 605 key: 606 description: The key of the secret to select from. Must be a valid secret key. 607 type: string 608 name: 609 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' 610 type: string 611 required: 612 - name 613 type: object 614 required: 615 - path 616 - roleId 617 - secretRef 618 type: object 619 tokenSecretRef: 620 description: This Secret contains the Vault token key 621 properties: 622 key: 623 description: The key of the secret to select from. Must be a valid secret key. 624 type: string 625 name: 626 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' 627 type: string 628 required: 629 - name 630 type: object 631 type: object 632 caBundle: 633 description: Base64 encoded CA bundle to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. 634 format: byte 635 type: string 636 path: 637 description: Vault URL path to the certificate role 638 type: string 639 server: 640 description: Server is the vault connection address 641 type: string 642 required: 643 - auth 644 - server 645 - path 646 type: object 647 venafi: 648 properties: 649 cloud: 650 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified. 651 properties: 652 apiTokenSecretRef: 653 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. 654 properties: 655 key: 656 description: The key of the secret to select from. Must be a valid secret key. 657 type: string 658 name: 659 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' 660 type: string 661 required: 662 - name 663 type: object 664 url: 665 description: URL is the base URL for Venafi Cloud 666 type: string 667 required: 668 - url 669 - apiTokenSecretRef 670 type: object 671 tpp: 672 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified. 673 properties: 674 caBundle: 675 description: CABundle is a PEM encoded TLS certifiate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates. 676 format: byte 677 type: string 678 credentialsRef: 679 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'. 680 properties: 681 name: 682 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' 683 type: string 684 required: 685 - name 686 type: object 687 url: 688 description: URL is the base URL for the Venafi TPP instance 689 type: string 690 required: 691 - url 692 - credentialsRef 693 type: object 694 zone: 695 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required. 696 type: string 697 required: 698 - zone 699 type: object 700 type: object 701 status: 702 properties: 703 acme: 704 properties: 705 uri: 706 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA 707 type: string 708 type: object 709 conditions: 710 items: 711 properties: 712 lastTransitionTime: 713 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. 714 format: date-time 715 type: string 716 message: 717 description: Message is a human readable description of the details of the last transition, complementing reason. 718 type: string 719 reason: 720 description: Reason is a brief machine readable explanation for the condition's last transition. 721 type: string 722 status: 723 description: Status of the condition, one of ('True', 'False', 'Unknown'). 724 enum: 725 - "True" 726 - "False" 727 - Unknown 728 type: string 729 type: 730 description: Type of the condition, currently ('Ready'). 731 type: string 732 required: 733 - type 734 - status 735 - lastTransitionTime 736 - reason 737 - message 738 type: object 739 type: array 740 type: object 741 version: v1alpha1 742 status: 743 acceptedNames: 744 kind: "" 745 plural: "" 746 conditions: [] 747 storedVersions: [] 748 --- 749 apiVersion: apiextensions.k8s.io/v1beta1 750 kind: CustomResourceDefinition 751 metadata: 752 creationTimestamp: null 753 labels: 754 controller-tools.k8s.io: "1.0" 755 name: orders.certmanager.k8s.io 756 spec: 757 additionalPrinterColumns: 758 - JSONPath: .status.state 759 name: State 760 type: string 761 - JSONPath: .spec.issuerRef.name 762 name: Issuer 763 priority: 1 764 type: string 765 - JSONPath: .status.reason 766 name: Reason 767 priority: 1 768 type: string 769 - JSONPath: .metadata.creationTimestamp 770 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 771 name: Age 772 type: date 773 group: certmanager.k8s.io 774 names: 775 kind: Order 776 plural: orders 777 scope: Namespaced 778 validation: 779 openAPIV3Schema: 780 properties: 781 apiVersion: 782 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' 783 type: string 784 kind: 785 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' 786 type: string 787 metadata: 788 type: object 789 spec: 790 properties: 791 commonName: 792 description: CommonName is the common name as specified on the DER encoded CSR. If CommonName is not specified, the first DNSName specified will be used as the CommonName. At least one of CommonName or a DNSNames must be set. This field must match the corresponding field on the DER encoded CSR. 793 type: string 794 config: 795 description: Config specifies a mapping from DNS identifiers to how those identifiers should be solved when performing ACME challenges. A config entry must exist for each domain listed in DNSNames and CommonName. 796 items: 797 properties: 798 domains: 799 description: Domains is the list of domains that this SolverConfig applies to. 800 items: 801 type: string 802 type: array 803 required: 804 - domains 805 type: object 806 type: array 807 csr: 808 description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order. 809 format: byte 810 type: string 811 dnsNames: 812 description: DNSNames is a list of DNS names that should be included as part of the Order validation process. If CommonName is not specified, the first DNSName specified will be used as the CommonName. At least one of CommonName or a DNSNames must be set. This field must match the corresponding field on the DER encoded CSR. 813 items: 814 type: string 815 type: array 816 issuerRef: 817 description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed. 818 properties: 819 kind: 820 type: string 821 name: 822 type: string 823 required: 824 - name 825 type: object 826 required: 827 - csr 828 - issuerRef 829 - config 830 type: object 831 status: 832 properties: 833 certificate: 834 description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state. 835 format: byte 836 type: string 837 challenges: 838 description: Challenges is a list of ChallengeSpecs for Challenges that must be created in order to complete this Order. 839 items: 840 properties: 841 authzURL: 842 description: AuthzURL is the URL to the ACME Authorization resource that this challenge is a part of. 843 type: string 844 config: 845 description: Config specifies the solver configuration for this challenge. 846 type: object 847 dnsName: 848 description: DNSName is the identifier that this challenge is for, e.g. example.com. 849 type: string 850 issuerRef: 851 description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed. 852 properties: 853 kind: 854 type: string 855 name: 856 type: string 857 required: 858 - name 859 type: object 860 key: 861 description: Key is the ACME challenge key for this challenge 862 type: string 863 token: 864 description: Token is the ACME challenge token for this challenge. 865 type: string 866 type: 867 description: Type is the type of ACME challenge this resource represents, e.g. "dns01" or "http01" 868 type: string 869 url: 870 description: URL is the URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge. 871 type: string 872 wildcard: 873 description: Wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com' 874 type: boolean 875 required: 876 - authzURL 877 - type 878 - url 879 - dnsName 880 - token 881 - key 882 - wildcard 883 - config 884 - issuerRef 885 type: object 886 type: array 887 failureTime: 888 description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off. 889 format: date-time 890 type: string 891 finalizeURL: 892 description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed. 893 type: string 894 reason: 895 description: Reason optionally provides more information about a why the order is in the current state. 896 type: string 897 state: 898 description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final' 899 enum: 900 - "" 901 - valid 902 - ready 903 - pending 904 - processing 905 - invalid 906 - expired 907 - errored 908 type: string 909 url: 910 description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set. 911 type: string 912 type: object 913 required: 914 - metadata 915 - spec 916 - status 917 version: v1alpha1 918 status: 919 acceptedNames: 920 kind: "" 921 plural: "" 922 conditions: [] 923 storedVersions: [] 924 --- 925 apiVersion: admissionregistration.k8s.io/v1beta1 926 kind: ValidatingWebhookConfiguration 927 metadata: 928 annotations: 929 certmanager.k8s.io/inject-apiserver-ca: "true" 930 labels: 931 app: webhook 932 release: cert-manager 933 name: cert-manager-webhook 934 webhooks: 935 - clientConfig: 936 service: 937 name: kubernetes 938 namespace: default 939 path: /apis/admission.certmanager.k8s.io/v1beta1/certificates 940 failurePolicy: Fail 941 name: certificates.admission.certmanager.k8s.io 942 namespaceSelector: 943 matchExpressions: 944 - key: certmanager.k8s.io/disable-validation 945 operator: NotIn 946 values: 947 - "true" 948 - key: name 949 operator: NotIn 950 values: 951 - cert-manager 952 rules: 953 - apiGroups: 954 - certmanager.k8s.io 955 apiVersions: 956 - v1alpha1 957 operations: 958 - CREATE 959 - UPDATE 960 resources: 961 - certificates 962 - clientConfig: 963 service: 964 name: kubernetes 965 namespace: default 966 path: /apis/admission.certmanager.k8s.io/v1beta1/issuers 967 failurePolicy: Fail 968 name: issuers.admission.certmanager.k8s.io 969 namespaceSelector: 970 matchExpressions: 971 - key: certmanager.k8s.io/disable-validation 972 operator: NotIn 973 values: 974 - "true" 975 - key: name 976 operator: NotIn 977 values: 978 - cert-manager 979 rules: 980 - apiGroups: 981 - certmanager.k8s.io 982 apiVersions: 983 - v1alpha1 984 operations: 985 - CREATE 986 - UPDATE 987 resources: 988 - issuers 989 - clientConfig: 990 service: 991 name: kubernetes 992 namespace: default 993 path: /apis/admission.certmanager.k8s.io/v1beta1/clusterissuers 994 failurePolicy: Fail 995 name: clusterissuers.admission.certmanager.k8s.io 996 namespaceSelector: 997 matchExpressions: 998 - key: certmanager.k8s.io/disable-validation 999 operator: NotIn 1000 values: 1001 - "true" 1002 - key: name 1003 operator: NotIn 1004 values: 1005 - cert-manager 1006 rules: 1007 - apiGroups: 1008 - certmanager.k8s.io 1009 apiVersions: 1010 - v1alpha1 1011 operations: 1012 - CREATE 1013 - UPDATE 1014 resources: 1015 - clusterissuers 1016 --- 1017 apiVersion: v1 1018 kind: ServiceAccount 1019 metadata: 1020 labels: 1021 app: cainjector 1022 release: cert-manager 1023 name: cert-manager-cainjector 1024 namespace: cert-manager 1025 --- 1026 apiVersion: v1 1027 kind: ServiceAccount 1028 metadata: 1029 labels: 1030 app: webhook 1031 release: cert-manager 1032 name: cert-manager-webhook 1033 namespace: cert-manager 1034 --- 1035 apiVersion: v1 1036 kind: ServiceAccount 1037 metadata: 1038 labels: 1039 app: cert-manager 1040 release: cert-manager 1041 name: cert-manager 1042 namespace: cert-manager 1043 --- 1044 apiVersion: rbac.authorization.k8s.io/v1 1045 kind: ClusterRole 1046 metadata: 1047 labels: 1048 app: cert-manager 1049 rbac.authorization.k8s.io/aggregate-to-admin: "true" 1050 rbac.authorization.k8s.io/aggregate-to-edit: "true" 1051 release: cert-manager 1052 name: cert-manager-edit 1053 rules: 1054 - apiGroups: 1055 - certmanager.k8s.io 1056 resources: 1057 - certificates 1058 - issuers 1059 verbs: 1060 - create 1061 - delete 1062 - deletecollection 1063 - patch 1064 - update 1065 --- 1066 apiVersion: rbac.authorization.k8s.io/v1 1067 kind: ClusterRole 1068 metadata: 1069 labels: 1070 app: cert-manager 1071 rbac.authorization.k8s.io/aggregate-to-admin: "true" 1072 rbac.authorization.k8s.io/aggregate-to-edit: "true" 1073 rbac.authorization.k8s.io/aggregate-to-view: "true" 1074 release: cert-manager 1075 name: cert-manager-view 1076 rules: 1077 - apiGroups: 1078 - certmanager.k8s.io 1079 resources: 1080 - certificates 1081 - issuers 1082 verbs: 1083 - get 1084 - list 1085 - watch 1086 --- 1087 apiVersion: rbac.authorization.k8s.io/v1 1088 kind: ClusterRole 1089 metadata: 1090 labels: 1091 app: webhook 1092 release: cert-manager 1093 name: cert-manager-webhook:webhook-requester 1094 rules: 1095 - apiGroups: 1096 - admission.certmanager.k8s.io 1097 resources: 1098 - certificates 1099 - issuers 1100 - clusterissuers 1101 verbs: 1102 - create 1103 --- 1104 apiVersion: rbac.authorization.k8s.io/v1beta1 1105 kind: ClusterRole 1106 metadata: 1107 labels: 1108 app: cainjector 1109 release: cert-manager 1110 name: cert-manager-cainjector 1111 rules: 1112 - apiGroups: 1113 - certmanager.k8s.io 1114 resources: 1115 - certificates 1116 verbs: 1117 - get 1118 - list 1119 - watch 1120 - apiGroups: 1121 - "" 1122 resources: 1123 - secrets 1124 verbs: 1125 - get 1126 - list 1127 - watch 1128 - apiGroups: 1129 - "" 1130 resources: 1131 - configmaps 1132 - events 1133 verbs: 1134 - '*' 1135 - apiGroups: 1136 - admissionregistration.k8s.io 1137 resources: 1138 - validatingwebhookconfigurations 1139 - mutatingwebhookconfigurations 1140 verbs: 1141 - '*' 1142 - apiGroups: 1143 - apiregistration.k8s.io 1144 resources: 1145 - apiservices 1146 verbs: 1147 - '*' 1148 --- 1149 apiVersion: rbac.authorization.k8s.io/v1beta1 1150 kind: ClusterRole 1151 metadata: 1152 labels: 1153 app: cert-manager 1154 release: cert-manager 1155 name: cert-manager 1156 rules: 1157 - apiGroups: 1158 - certmanager.k8s.io 1159 resources: 1160 - certificates 1161 - certificates/finalizers 1162 - issuers 1163 - clusterissuers 1164 - orders 1165 - orders/finalizers 1166 - challenges 1167 verbs: 1168 - '*' 1169 - apiGroups: 1170 - "" 1171 resources: 1172 - configmaps 1173 - secrets 1174 - events 1175 - services 1176 - pods 1177 verbs: 1178 - '*' 1179 - apiGroups: 1180 - extensions 1181 resources: 1182 - ingresses 1183 verbs: 1184 - '*' 1185 --- 1186 apiVersion: rbac.authorization.k8s.io/v1beta1 1187 kind: RoleBinding 1188 metadata: 1189 labels: 1190 app: webhook 1191 release: cert-manager 1192 name: cert-manager-webhook:webhook-authentication-reader 1193 namespace: kube-system 1194 roleRef: 1195 apiGroup: rbac.authorization.k8s.io 1196 kind: Role 1197 name: extension-apiserver-authentication-reader 1198 subjects: 1199 - apiGroup: "" 1200 kind: ServiceAccount 1201 name: cert-manager-webhook 1202 namespace: cert-manager 1203 --- 1204 apiVersion: rbac.authorization.k8s.io/v1beta1 1205 kind: ClusterRoleBinding 1206 metadata: 1207 labels: 1208 app: cainjector 1209 release: cert-manager 1210 name: cert-manager-cainjector 1211 roleRef: 1212 apiGroup: rbac.authorization.k8s.io 1213 kind: ClusterRole 1214 name: cert-manager-cainjector 1215 subjects: 1216 - kind: ServiceAccount 1217 name: cert-manager-cainjector 1218 namespace: cert-manager 1219 --- 1220 apiVersion: rbac.authorization.k8s.io/v1beta1 1221 kind: ClusterRoleBinding 1222 metadata: 1223 labels: 1224 app: webhook 1225 release: cert-manager 1226 name: cert-manager-webhook:auth-delegator 1227 roleRef: 1228 apiGroup: rbac.authorization.k8s.io 1229 kind: ClusterRole 1230 name: system:auth-delegator 1231 subjects: 1232 - apiGroup: "" 1233 kind: ServiceAccount 1234 name: cert-manager-webhook 1235 namespace: cert-manager 1236 --- 1237 apiVersion: rbac.authorization.k8s.io/v1beta1 1238 kind: ClusterRoleBinding 1239 metadata: 1240 labels: 1241 app: cert-manager 1242 release: cert-manager 1243 name: cert-manager 1244 roleRef: 1245 apiGroup: rbac.authorization.k8s.io 1246 kind: ClusterRole 1247 name: cert-manager 1248 subjects: 1249 - kind: ServiceAccount 1250 name: cert-manager 1251 namespace: cert-manager 1252 --- 1253 apiVersion: v1 1254 kind: Service 1255 metadata: 1256 labels: 1257 app: webhook 1258 release: cert-manager 1259 name: cert-manager-webhook 1260 namespace: cert-manager 1261 spec: 1262 ports: 1263 - name: https 1264 port: 443 1265 targetPort: 6443 1266 selector: 1267 app: webhook 1268 release: cert-manager 1269 type: ClusterIP 1270 --- 1271 apiVersion: apps/v1beta1 1272 kind: Deployment 1273 metadata: 1274 labels: 1275 app: cainjector 1276 release: cert-manager 1277 name: cert-manager-cainjector 1278 namespace: cert-manager 1279 spec: 1280 replicas: 1 1281 selector: 1282 matchLabels: 1283 app: cainjector 1284 release: cert-manager 1285 template: 1286 metadata: 1287 annotations: null 1288 labels: 1289 app: cainjector 1290 release: cert-manager 1291 spec: 1292 containers: 1293 - args: 1294 - --leader-election-namespace=$(POD_NAMESPACE) 1295 env: 1296 - name: POD_NAMESPACE 1297 valueFrom: 1298 fieldRef: 1299 fieldPath: metadata.namespace 1300 image: quay.io/jetstack/cert-manager-cainjector:v0.7.0 1301 imagePullPolicy: IfNotPresent 1302 name: cainjector 1303 resources: {} 1304 serviceAccountName: cert-manager-cainjector 1305 --- 1306 apiVersion: apps/v1beta1 1307 kind: Deployment 1308 metadata: 1309 labels: 1310 app: webhook 1311 release: cert-manager 1312 name: cert-manager-webhook 1313 namespace: cert-manager 1314 spec: 1315 replicas: 1 1316 selector: 1317 matchLabels: 1318 app: webhook 1319 release: cert-manager 1320 template: 1321 metadata: 1322 annotations: null 1323 labels: 1324 app: webhook 1325 release: cert-manager 1326 spec: 1327 containers: 1328 - args: 1329 - --v=12 1330 - --secure-port=6443 1331 - --tls-cert-file=/certs/tls.crt 1332 - --tls-private-key-file=/certs/tls.key 1333 env: 1334 - name: POD_NAMESPACE 1335 valueFrom: 1336 fieldRef: 1337 fieldPath: metadata.namespace 1338 image: quay.io/jetstack/cert-manager-webhook:v0.7.0 1339 imagePullPolicy: IfNotPresent 1340 name: webhook 1341 resources: {} 1342 volumeMounts: 1343 - mountPath: /certs 1344 name: certs 1345 serviceAccountName: cert-manager-webhook 1346 volumes: 1347 - name: certs 1348 secret: 1349 secretName: cert-manager-webhook-webhook-tls 1350 --- 1351 apiVersion: apps/v1beta1 1352 kind: Deployment 1353 metadata: 1354 labels: 1355 app: cert-manager 1356 release: cert-manager 1357 name: cert-manager 1358 namespace: cert-manager 1359 spec: 1360 replicas: 1 1361 selector: 1362 matchLabels: 1363 app: cert-manager 1364 release: cert-manager 1365 template: 1366 metadata: 1367 annotations: 1368 prometheus.io/path: /metrics 1369 prometheus.io/port: "9402" 1370 prometheus.io/scrape: "true" 1371 labels: 1372 app: cert-manager 1373 release: cert-manager 1374 spec: 1375 containers: 1376 - args: 1377 - --cluster-resource-namespace=$(POD_NAMESPACE) 1378 - --leader-election-namespace=$(POD_NAMESPACE) 1379 env: 1380 - name: POD_NAMESPACE 1381 valueFrom: 1382 fieldRef: 1383 fieldPath: metadata.namespace 1384 image: quay.io/jetstack/cert-manager-controller:v0.7.0 1385 imagePullPolicy: IfNotPresent 1386 name: cert-manager 1387 ports: 1388 - containerPort: 9402 1389 resources: 1390 requests: 1391 cpu: 10m 1392 memory: 32Mi 1393 serviceAccountName: cert-manager 1394 --- 1395 apiVersion: apiregistration.k8s.io/v1beta1 1396 kind: APIService 1397 metadata: 1398 annotations: 1399 certmanager.k8s.io/inject-ca-from: cert-manager/cert-manager-webhook-webhook-tls 1400 labels: 1401 app: webhook 1402 chart: webhook-v0.7.0 1403 heritage: Tiller 1404 release: cert-manager 1405 name: v1beta1.admission.certmanager.k8s.io 1406 spec: 1407 group: admission.certmanager.k8s.io 1408 groupPriorityMinimum: 1000 1409 service: 1410 name: cert-manager-webhook 1411 namespace: cert-manager 1412 version: v1beta1 1413 versionPriority: 15 1414 --- 1415 apiVersion: certmanager.k8s.io/v1alpha1 1416 kind: Certificate 1417 metadata: 1418 labels: 1419 app: webhook 1420 chart: webhook-v0.7.0 1421 heritage: Tiller 1422 release: cert-manager 1423 name: cert-manager-webhook-ca 1424 namespace: cert-manager 1425 spec: 1426 commonName: ca.webhook.cert-manager 1427 duration: 43800h 1428 isCA: true 1429 issuerRef: 1430 name: cert-manager-webhook-selfsign 1431 secretName: cert-manager-webhook-ca 1432 --- 1433 apiVersion: certmanager.k8s.io/v1alpha1 1434 kind: Certificate 1435 metadata: 1436 labels: 1437 app: webhook 1438 chart: webhook-v0.7.0 1439 heritage: Tiller 1440 release: cert-manager 1441 name: cert-manager-webhook-webhook-tls 1442 namespace: cert-manager 1443 spec: 1444 dnsNames: 1445 - cert-manager-webhook 1446 - cert-manager-webhook.cert-manager 1447 - cert-manager-webhook.cert-manager.svc 1448 duration: 8760h 1449 issuerRef: 1450 name: cert-manager-webhook-ca 1451 secretName: cert-manager-webhook-webhook-tls 1452 --- 1453 apiVersion: certmanager.k8s.io/v1alpha1 1454 kind: Issuer 1455 metadata: 1456 labels: 1457 app: webhook 1458 chart: webhook-v0.7.0 1459 heritage: Tiller 1460 release: cert-manager 1461 name: cert-manager-webhook-ca 1462 namespace: cert-manager 1463 spec: 1464 ca: 1465 secretName: cert-manager-webhook-ca 1466 --- 1467 apiVersion: certmanager.k8s.io/v1alpha1 1468 kind: Issuer 1469 metadata: 1470 labels: 1471 app: webhook 1472 chart: webhook-v0.7.0 1473 heritage: Tiller 1474 release: cert-manager 1475 name: cert-manager-webhook-selfsign 1476 namespace: cert-manager 1477 spec: 1478 selfSigned: {}