github.com/verrazzano/verrazzano@v1.7.0/platform-operator/thirdparty/charts/cert-manager/templates/crds.yaml (about) 1 {{- if .Values.installCRDs }} 2 apiVersion: apiextensions.k8s.io/v1 3 kind: CustomResourceDefinition 4 metadata: 5 name: certificaterequests.cert-manager.io 6 labels: 7 app: '{{ template "cert-manager.name" . }}' 8 app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' 9 app.kubernetes.io/instance: '{{ .Release.Name }}' 10 # Generated labels {{- include "labels" . | nindent 4 }} 11 spec: 12 group: cert-manager.io 13 names: 14 kind: CertificateRequest 15 listKind: CertificateRequestList 16 plural: certificaterequests 17 shortNames: 18 - cr 19 - crs 20 singular: certificaterequest 21 categories: 22 - cert-manager 23 scope: Namespaced 24 versions: 25 - name: v1 26 subresources: 27 status: {} 28 additionalPrinterColumns: 29 - jsonPath: .status.conditions[?(@.type=="Approved")].status 30 name: Approved 31 type: string 32 - jsonPath: .status.conditions[?(@.type=="Denied")].status 33 name: Denied 34 type: string 35 - jsonPath: .status.conditions[?(@.type=="Ready")].status 36 name: Ready 37 type: string 38 - jsonPath: .spec.issuerRef.name 39 name: Issuer 40 type: string 41 - jsonPath: .spec.username 42 name: Requestor 43 type: string 44 - jsonPath: .status.conditions[?(@.type=="Ready")].message 45 name: Status 46 priority: 1 47 type: string 48 - jsonPath: .metadata.creationTimestamp 49 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 50 name: Age 51 type: date 52 schema: 53 openAPIV3Schema: 54 description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used." 55 type: object 56 required: 57 - spec 58 properties: 59 apiVersion: 60 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 61 type: string 62 kind: 63 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 64 type: string 65 metadata: 66 type: object 67 spec: 68 description: Desired state of the CertificateRequest resource. 69 type: object 70 required: 71 - issuerRef 72 - request 73 properties: 74 duration: 75 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. 76 type: string 77 extra: 78 description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. 79 type: object 80 additionalProperties: 81 type: array 82 items: 83 type: string 84 groups: 85 description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. 86 type: array 87 items: 88 type: string 89 x-kubernetes-list-type: atomic 90 isCA: 91 description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`. 92 type: boolean 93 issuerRef: 94 description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty. 95 type: object 96 required: 97 - name 98 properties: 99 group: 100 description: Group of the resource being referred to. 101 type: string 102 kind: 103 description: Kind of the resource being referred to. 104 type: string 105 name: 106 description: Name of the resource being referred to. 107 type: string 108 request: 109 description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing. 110 type: string 111 format: byte 112 uid: 113 description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. 114 type: string 115 usages: 116 description: Usages is the set of x509 usages that are requested for the certificate. If usages are set they SHOULD be encoded inside the CSR spec Defaults to `digital signature` and `key encipherment` if not specified. 117 type: array 118 items: 119 description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"' 120 type: string 121 enum: 122 - signing 123 - digital signature 124 - content commitment 125 - key encipherment 126 - key agreement 127 - data encipherment 128 - cert sign 129 - crl sign 130 - encipher only 131 - decipher only 132 - any 133 - server auth 134 - client auth 135 - code signing 136 - email protection 137 - s/mime 138 - ipsec end system 139 - ipsec tunnel 140 - ipsec user 141 - timestamping 142 - ocsp signing 143 - microsoft sgc 144 - netscape sgc 145 username: 146 description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. 147 type: string 148 status: 149 description: Status of the CertificateRequest. This is set and managed automatically. 150 type: object 151 properties: 152 ca: 153 description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available. 154 type: string 155 format: byte 156 certificate: 157 description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field. 158 type: string 159 format: byte 160 conditions: 161 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`. 162 type: array 163 items: 164 description: CertificateRequestCondition contains condition information for a CertificateRequest. 165 type: object 166 required: 167 - status 168 - type 169 properties: 170 lastTransitionTime: 171 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. 172 type: string 173 format: date-time 174 message: 175 description: Message is a human readable description of the details of the last transition, complementing reason. 176 type: string 177 reason: 178 description: Reason is a brief machine readable explanation for the condition's last transition. 179 type: string 180 status: 181 description: Status of the condition, one of (`True`, `False`, `Unknown`). 182 type: string 183 enum: 184 - "True" 185 - "False" 186 - Unknown 187 type: 188 description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`). 189 type: string 190 x-kubernetes-list-map-keys: 191 - type 192 x-kubernetes-list-type: map 193 failureTime: 194 description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off. 195 type: string 196 format: date-time 197 served: true 198 storage: true 199 --- 200 apiVersion: apiextensions.k8s.io/v1 201 kind: CustomResourceDefinition 202 metadata: 203 name: certificates.cert-manager.io 204 labels: 205 app: '{{ template "cert-manager.name" . }}' 206 app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' 207 app.kubernetes.io/instance: '{{ .Release.Name }}' 208 # Generated labels {{- include "labels" . | nindent 4 }} 209 spec: 210 group: cert-manager.io 211 names: 212 kind: Certificate 213 listKind: CertificateList 214 plural: certificates 215 shortNames: 216 - cert 217 - certs 218 singular: certificate 219 categories: 220 - cert-manager 221 scope: Namespaced 222 versions: 223 - name: v1 224 subresources: 225 status: {} 226 additionalPrinterColumns: 227 - jsonPath: .status.conditions[?(@.type=="Ready")].status 228 name: Ready 229 type: string 230 - jsonPath: .spec.secretName 231 name: Secret 232 type: string 233 - jsonPath: .spec.issuerRef.name 234 name: Issuer 235 priority: 1 236 type: string 237 - jsonPath: .status.conditions[?(@.type=="Ready")].message 238 name: Status 239 priority: 1 240 type: string 241 - jsonPath: .metadata.creationTimestamp 242 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 243 name: Age 244 type: date 245 schema: 246 openAPIV3Schema: 247 description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)." 248 type: object 249 required: 250 - spec 251 properties: 252 apiVersion: 253 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 254 type: string 255 kind: 256 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 257 type: string 258 metadata: 259 type: object 260 spec: 261 description: Desired state of the Certificate resource. 262 type: object 263 required: 264 - issuerRef 265 - secretName 266 properties: 267 additionalOutputFormats: 268 description: AdditionalOutputFormats defines extra output formats of the private key and signed certificate chain to be written to this Certificate's target Secret. This is an Alpha Feature and is only enabled with the `--feature-gates=AdditionalCertificateOutputFormats=true` option on both the controller and webhook components. 269 type: array 270 items: 271 description: CertificateAdditionalOutputFormat defines an additional output format of a Certificate resource. These contain supplementary data formats of the signed certificate chain and paired private key. 272 type: object 273 required: 274 - type 275 properties: 276 type: 277 description: Type is the name of the format type that should be written to the Certificate's target Secret. 278 type: string 279 enum: 280 - DER 281 - CombinedPEM 282 commonName: 283 description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' 284 type: string 285 dnsNames: 286 description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate. 287 type: array 288 items: 289 type: string 290 duration: 291 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration 292 type: string 293 emailAddresses: 294 description: EmailAddresses is a list of email subjectAltNames to be set on the Certificate. 295 type: array 296 items: 297 type: string 298 encodeUsagesInRequest: 299 description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest 300 type: boolean 301 ipAddresses: 302 description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate. 303 type: array 304 items: 305 type: string 306 isCA: 307 description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`. 308 type: boolean 309 issuerRef: 310 description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. 311 type: object 312 required: 313 - name 314 properties: 315 group: 316 description: Group of the resource being referred to. 317 type: string 318 kind: 319 description: Kind of the resource being referred to. 320 type: string 321 name: 322 description: Name of the resource being referred to. 323 type: string 324 keystores: 325 description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource. 326 type: object 327 properties: 328 jks: 329 description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource. 330 type: object 331 required: 332 - create 333 - passwordSecretRef 334 properties: 335 create: 336 description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority 337 type: boolean 338 passwordSecretRef: 339 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore. 340 type: object 341 required: 342 - name 343 properties: 344 key: 345 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 346 type: string 347 name: 348 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 349 type: string 350 pkcs12: 351 description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource. 352 type: object 353 required: 354 - create 355 - passwordSecretRef 356 properties: 357 create: 358 description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority 359 type: boolean 360 passwordSecretRef: 361 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore. 362 type: object 363 required: 364 - name 365 properties: 366 key: 367 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 368 type: string 369 name: 370 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 371 type: string 372 literalSubject: 373 description: LiteralSubject is an LDAP formatted string that represents the [X.509 Subject field](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6). Use this *instead* of the Subject field if you need to ensure the correct ordering of the RDN sequence, such as when issuing certs for LDAP authentication. See https://github.com/cert-manager/cert-manager/issues/3203, https://github.com/cert-manager/cert-manager/issues/4424. This field is alpha level and is only supported by cert-manager installations where LiteralCertificateSubject feature gate is enabled on both cert-manager controller and webhook. 374 type: string 375 privateKey: 376 description: Options to control private keys used for the Certificate. 377 type: object 378 properties: 379 algorithm: 380 description: Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified and `size` is not provided, key size of 256 will be used for `ECDSA` key algorithm and key size of 2048 will be used for `RSA` key algorithm. key size is ignored when using the `Ed25519` key algorithm. 381 type: string 382 enum: 383 - RSA 384 - ECDSA 385 - Ed25519 386 encoding: 387 description: The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified. 388 type: string 389 enum: 390 - PKCS1 391 - PKCS8 392 rotationPolicy: 393 description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility. 394 type: string 395 enum: 396 - Never 397 - Always 398 size: 399 description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed. 400 type: integer 401 renewBefore: 402 description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration 403 type: string 404 revisionHistoryLimit: 405 description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`. 406 type: integer 407 format: int32 408 secretName: 409 description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer. 410 type: string 411 secretTemplate: 412 description: SecretTemplate defines annotations and labels to be copied to the Certificate's Secret. Labels and annotations on the Secret will be changed as they appear on the SecretTemplate when added or removed. SecretTemplate annotations are added in conjunction with, and cannot overwrite, the base set of annotations cert-manager sets on the Certificate's Secret. 413 type: object 414 properties: 415 annotations: 416 description: Annotations is a key value map to be copied to the target Kubernetes Secret. 417 type: object 418 additionalProperties: 419 type: string 420 labels: 421 description: Labels is a key value map to be copied to the target Kubernetes Secret. 422 type: object 423 additionalProperties: 424 type: string 425 subject: 426 description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). 427 type: object 428 properties: 429 countries: 430 description: Countries to be used on the Certificate. 431 type: array 432 items: 433 type: string 434 localities: 435 description: Cities to be used on the Certificate. 436 type: array 437 items: 438 type: string 439 organizationalUnits: 440 description: Organizational Units to be used on the Certificate. 441 type: array 442 items: 443 type: string 444 organizations: 445 description: Organizations to be used on the Certificate. 446 type: array 447 items: 448 type: string 449 postalCodes: 450 description: Postal codes to be used on the Certificate. 451 type: array 452 items: 453 type: string 454 provinces: 455 description: State/Provinces to be used on the Certificate. 456 type: array 457 items: 458 type: string 459 serialNumber: 460 description: Serial number to be used on the Certificate. 461 type: string 462 streetAddresses: 463 description: Street addresses to be used on the Certificate. 464 type: array 465 items: 466 type: string 467 uris: 468 description: URIs is a list of URI subjectAltNames to be set on the Certificate. 469 type: array 470 items: 471 type: string 472 usages: 473 description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified. 474 type: array 475 items: 476 description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"' 477 type: string 478 enum: 479 - signing 480 - digital signature 481 - content commitment 482 - key encipherment 483 - key agreement 484 - data encipherment 485 - cert sign 486 - crl sign 487 - encipher only 488 - decipher only 489 - any 490 - server auth 491 - client auth 492 - code signing 493 - email protection 494 - s/mime 495 - ipsec end system 496 - ipsec tunnel 497 - ipsec user 498 - timestamping 499 - ocsp signing 500 - microsoft sgc 501 - netscape sgc 502 status: 503 description: Status of the Certificate. This is set and managed automatically. 504 type: object 505 properties: 506 conditions: 507 description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`. 508 type: array 509 items: 510 description: CertificateCondition contains condition information for an Certificate. 511 type: object 512 required: 513 - status 514 - type 515 properties: 516 lastTransitionTime: 517 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. 518 type: string 519 format: date-time 520 message: 521 description: Message is a human readable description of the details of the last transition, complementing reason. 522 type: string 523 observedGeneration: 524 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate. 525 type: integer 526 format: int64 527 reason: 528 description: Reason is a brief machine readable explanation for the condition's last transition. 529 type: string 530 status: 531 description: Status of the condition, one of (`True`, `False`, `Unknown`). 532 type: string 533 enum: 534 - "True" 535 - "False" 536 - Unknown 537 type: 538 description: Type of the condition, known values are (`Ready`, `Issuing`). 539 type: string 540 x-kubernetes-list-map-keys: 541 - type 542 x-kubernetes-list-type: map 543 failedIssuanceAttempts: 544 description: The number of continuous failed issuance attempts up till now. This field gets removed (if set) on a successful issuance and gets set to 1 if unset and an issuance has failed. If an issuance has failed, the delay till the next issuance will be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1). 545 type: integer 546 lastFailureTime: 547 description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time. 548 type: string 549 format: date-time 550 nextPrivateKeySecretName: 551 description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False. 552 type: string 553 notAfter: 554 description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`. 555 type: string 556 format: date-time 557 notBefore: 558 description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid. 559 type: string 560 format: date-time 561 renewalTime: 562 description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled. 563 type: string 564 format: date-time 565 revision: 566 description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field." 567 type: integer 568 served: true 569 storage: true 570 --- 571 apiVersion: apiextensions.k8s.io/v1 572 kind: CustomResourceDefinition 573 metadata: 574 name: challenges.acme.cert-manager.io 575 labels: 576 app: '{{ template "cert-manager.name" . }}' 577 app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' 578 app.kubernetes.io/instance: '{{ .Release.Name }}' 579 # Generated labels {{- include "labels" . | nindent 4 }} 580 spec: 581 group: acme.cert-manager.io 582 names: 583 kind: Challenge 584 listKind: ChallengeList 585 plural: challenges 586 singular: challenge 587 categories: 588 - cert-manager 589 - cert-manager-acme 590 scope: Namespaced 591 versions: 592 - additionalPrinterColumns: 593 - jsonPath: .status.state 594 name: State 595 type: string 596 - jsonPath: .spec.dnsName 597 name: Domain 598 type: string 599 - jsonPath: .status.reason 600 name: Reason 601 priority: 1 602 type: string 603 - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 604 jsonPath: .metadata.creationTimestamp 605 name: Age 606 type: date 607 name: v1 608 schema: 609 openAPIV3Schema: 610 description: Challenge is a type to represent a Challenge request with an ACME server 611 type: object 612 required: 613 - metadata 614 - spec 615 properties: 616 apiVersion: 617 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 618 type: string 619 kind: 620 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 621 type: string 622 metadata: 623 type: object 624 spec: 625 type: object 626 required: 627 - authorizationURL 628 - dnsName 629 - issuerRef 630 - key 631 - solver 632 - token 633 - type 634 - url 635 properties: 636 authorizationURL: 637 description: The URL to the ACME Authorization resource that this challenge is a part of. 638 type: string 639 dnsName: 640 description: dnsName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`. 641 type: string 642 issuerRef: 643 description: References a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed. 644 type: object 645 required: 646 - name 647 properties: 648 group: 649 description: Group of the resource being referred to. 650 type: string 651 kind: 652 description: Kind of the resource being referred to. 653 type: string 654 name: 655 description: Name of the resource being referred to. 656 type: string 657 key: 658 description: 'The ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key from acme server for challenge>`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key from acme server for challenge>` text that must be set as the TXT record content.' 659 type: string 660 solver: 661 description: Contains the domain solving configuration that should be used to solve this challenge resource. 662 type: object 663 properties: 664 dns01: 665 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. 666 type: object 667 properties: 668 acmeDNS: 669 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. 670 type: object 671 required: 672 - accountSecretRef 673 - host 674 properties: 675 accountSecretRef: 676 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 677 type: object 678 required: 679 - name 680 properties: 681 key: 682 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 683 type: string 684 name: 685 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 686 type: string 687 host: 688 type: string 689 akamai: 690 description: Use the Akamai DNS zone management API to manage DNS01 challenge records. 691 type: object 692 required: 693 - accessTokenSecretRef 694 - clientSecretSecretRef 695 - clientTokenSecretRef 696 - serviceConsumerDomain 697 properties: 698 accessTokenSecretRef: 699 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 700 type: object 701 required: 702 - name 703 properties: 704 key: 705 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 706 type: string 707 name: 708 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 709 type: string 710 clientSecretSecretRef: 711 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 712 type: object 713 required: 714 - name 715 properties: 716 key: 717 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 718 type: string 719 name: 720 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 721 type: string 722 clientTokenSecretRef: 723 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 724 type: object 725 required: 726 - name 727 properties: 728 key: 729 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 730 type: string 731 name: 732 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 733 type: string 734 serviceConsumerDomain: 735 type: string 736 azureDNS: 737 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. 738 type: object 739 required: 740 - resourceGroupName 741 - subscriptionID 742 properties: 743 clientID: 744 description: if both this and ClientSecret are left unset MSI will be used 745 type: string 746 clientSecretSecretRef: 747 description: if both this and ClientID are left unset MSI will be used 748 type: object 749 required: 750 - name 751 properties: 752 key: 753 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 754 type: string 755 name: 756 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 757 type: string 758 environment: 759 description: name of the Azure environment (default AzurePublicCloud) 760 type: string 761 enum: 762 - AzurePublicCloud 763 - AzureChinaCloud 764 - AzureGermanCloud 765 - AzureUSGovernmentCloud 766 hostedZoneName: 767 description: name of the DNS zone that should be used 768 type: string 769 managedIdentity: 770 description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID 771 type: object 772 properties: 773 clientID: 774 description: client ID of the managed identity, can not be used at the same time as resourceID 775 type: string 776 resourceID: 777 description: resource ID of the managed identity, can not be used at the same time as clientID 778 type: string 779 resourceGroupName: 780 description: resource group the DNS zone is located in 781 type: string 782 subscriptionID: 783 description: ID of the Azure subscription 784 type: string 785 tenantID: 786 description: when specifying ClientID and ClientSecret then this field is also needed 787 type: string 788 cloudDNS: 789 description: Use the Google Cloud DNS API to manage DNS01 challenge records. 790 type: object 791 required: 792 - project 793 properties: 794 hostedZoneName: 795 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. 796 type: string 797 project: 798 type: string 799 serviceAccountSecretRef: 800 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 801 type: object 802 required: 803 - name 804 properties: 805 key: 806 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 807 type: string 808 name: 809 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 810 type: string 811 cloudflare: 812 description: Use the Cloudflare API to manage DNS01 challenge records. 813 type: object 814 properties: 815 apiKeySecretRef: 816 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' 817 type: object 818 required: 819 - name 820 properties: 821 key: 822 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 823 type: string 824 name: 825 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 826 type: string 827 apiTokenSecretRef: 828 description: API token used to authenticate with Cloudflare. 829 type: object 830 required: 831 - name 832 properties: 833 key: 834 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 835 type: string 836 name: 837 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 838 type: string 839 email: 840 description: Email of the account, only required when using API key based authentication. 841 type: string 842 cnameStrategy: 843 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. 844 type: string 845 enum: 846 - None 847 - Follow 848 digitalocean: 849 description: Use the DigitalOcean DNS API to manage DNS01 challenge records. 850 type: object 851 required: 852 - tokenSecretRef 853 properties: 854 tokenSecretRef: 855 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 856 type: object 857 required: 858 - name 859 properties: 860 key: 861 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 862 type: string 863 name: 864 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 865 type: string 866 rfc2136: 867 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. 868 type: object 869 required: 870 - nameserver 871 properties: 872 nameserver: 873 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required. 874 type: string 875 tsigAlgorithm: 876 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' 877 type: string 878 tsigKeyName: 879 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. 880 type: string 881 tsigSecretSecretRef: 882 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. 883 type: object 884 required: 885 - name 886 properties: 887 key: 888 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 889 type: string 890 name: 891 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 892 type: string 893 route53: 894 description: Use the AWS Route53 API to manage DNS01 challenge records. 895 type: object 896 required: 897 - region 898 properties: 899 accessKeyID: 900 description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' 901 type: string 902 accessKeyIDSecretRef: 903 description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' 904 type: object 905 required: 906 - name 907 properties: 908 key: 909 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 910 type: string 911 name: 912 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 913 type: string 914 hostedZoneID: 915 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. 916 type: string 917 region: 918 description: Always set the region when using AccessKeyID and SecretAccessKey 919 type: string 920 role: 921 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata 922 type: string 923 secretAccessKeySecretRef: 924 description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' 925 type: object 926 required: 927 - name 928 properties: 929 key: 930 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 931 type: string 932 name: 933 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 934 type: string 935 webhook: 936 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. 937 type: object 938 required: 939 - groupName 940 - solverName 941 properties: 942 config: 943 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. 944 x-kubernetes-preserve-unknown-fields: true 945 groupName: 946 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. 947 type: string 948 solverName: 949 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. 950 type: string 951 http01: 952 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. 953 type: object 954 properties: 955 gatewayHTTPRoute: 956 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. 957 type: object 958 properties: 959 labels: 960 description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges. 961 type: object 962 additionalProperties: 963 type: string 964 parentRefs: 965 description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways' 966 type: array 967 items: 968 description: "ParentRef identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object." 969 type: object 970 required: 971 - name 972 properties: 973 group: 974 description: "Group is the group of the referent. \n Support: Core" 975 type: string 976 default: gateway.networking.k8s.io 977 maxLength: 253 978 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 979 kind: 980 description: "Kind is kind of the referent. \n Support: Core (Gateway) Support: Custom (Other Resources)" 981 type: string 982 default: Gateway 983 maxLength: 63 984 minLength: 1 985 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 986 name: 987 description: "Name is the name of the referent. \n Support: Core" 988 type: string 989 maxLength: 253 990 minLength: 1 991 namespace: 992 description: "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core" 993 type: string 994 maxLength: 63 995 minLength: 1 996 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 997 sectionName: 998 description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" 999 type: string 1000 maxLength: 253 1001 minLength: 1 1002 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 1003 serviceType: 1004 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. 1005 type: string 1006 ingress: 1007 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. 1008 type: object 1009 properties: 1010 class: 1011 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified. 1012 type: string 1013 ingressTemplate: 1014 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. 1015 type: object 1016 properties: 1017 metadata: 1018 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. 1019 type: object 1020 properties: 1021 annotations: 1022 description: Annotations that should be added to the created ACME HTTP01 solver ingress. 1023 type: object 1024 additionalProperties: 1025 type: string 1026 labels: 1027 description: Labels that should be added to the created ACME HTTP01 solver ingress. 1028 type: object 1029 additionalProperties: 1030 type: string 1031 name: 1032 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. 1033 type: string 1034 podTemplate: 1035 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. 1036 type: object 1037 properties: 1038 metadata: 1039 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. 1040 type: object 1041 properties: 1042 annotations: 1043 description: Annotations that should be added to the create ACME HTTP01 solver pods. 1044 type: object 1045 additionalProperties: 1046 type: string 1047 labels: 1048 description: Labels that should be added to the created ACME HTTP01 solver pods. 1049 type: object 1050 additionalProperties: 1051 type: string 1052 spec: 1053 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored. 1054 type: object 1055 properties: 1056 affinity: 1057 description: If specified, the pod's scheduling constraints 1058 type: object 1059 properties: 1060 nodeAffinity: 1061 description: Describes node affinity scheduling rules for the pod. 1062 type: object 1063 properties: 1064 preferredDuringSchedulingIgnoredDuringExecution: 1065 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. 1066 type: array 1067 items: 1068 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). 1069 type: object 1070 required: 1071 - preference 1072 - weight 1073 properties: 1074 preference: 1075 description: A node selector term, associated with the corresponding weight. 1076 type: object 1077 properties: 1078 matchExpressions: 1079 description: A list of node selector requirements by node's labels. 1080 type: array 1081 items: 1082 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1083 type: object 1084 required: 1085 - key 1086 - operator 1087 properties: 1088 key: 1089 description: The label key that the selector applies to. 1090 type: string 1091 operator: 1092 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 1093 type: string 1094 values: 1095 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 1096 type: array 1097 items: 1098 type: string 1099 matchFields: 1100 description: A list of node selector requirements by node's fields. 1101 type: array 1102 items: 1103 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1104 type: object 1105 required: 1106 - key 1107 - operator 1108 properties: 1109 key: 1110 description: The label key that the selector applies to. 1111 type: string 1112 operator: 1113 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 1114 type: string 1115 values: 1116 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 1117 type: array 1118 items: 1119 type: string 1120 weight: 1121 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. 1122 type: integer 1123 format: int32 1124 requiredDuringSchedulingIgnoredDuringExecution: 1125 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. 1126 type: object 1127 required: 1128 - nodeSelectorTerms 1129 properties: 1130 nodeSelectorTerms: 1131 description: Required. A list of node selector terms. The terms are ORed. 1132 type: array 1133 items: 1134 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. 1135 type: object 1136 properties: 1137 matchExpressions: 1138 description: A list of node selector requirements by node's labels. 1139 type: array 1140 items: 1141 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1142 type: object 1143 required: 1144 - key 1145 - operator 1146 properties: 1147 key: 1148 description: The label key that the selector applies to. 1149 type: string 1150 operator: 1151 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 1152 type: string 1153 values: 1154 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 1155 type: array 1156 items: 1157 type: string 1158 matchFields: 1159 description: A list of node selector requirements by node's fields. 1160 type: array 1161 items: 1162 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1163 type: object 1164 required: 1165 - key 1166 - operator 1167 properties: 1168 key: 1169 description: The label key that the selector applies to. 1170 type: string 1171 operator: 1172 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 1173 type: string 1174 values: 1175 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 1176 type: array 1177 items: 1178 type: string 1179 podAffinity: 1180 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). 1181 type: object 1182 properties: 1183 preferredDuringSchedulingIgnoredDuringExecution: 1184 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. 1185 type: array 1186 items: 1187 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 1188 type: object 1189 required: 1190 - podAffinityTerm 1191 - weight 1192 properties: 1193 podAffinityTerm: 1194 description: Required. A pod affinity term, associated with the corresponding weight. 1195 type: object 1196 required: 1197 - topologyKey 1198 properties: 1199 labelSelector: 1200 description: A label query over a set of resources, in this case pods. 1201 type: object 1202 properties: 1203 matchExpressions: 1204 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 1205 type: array 1206 items: 1207 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1208 type: object 1209 required: 1210 - key 1211 - operator 1212 properties: 1213 key: 1214 description: key is the label key that the selector applies to. 1215 type: string 1216 operator: 1217 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 1218 type: string 1219 values: 1220 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 1221 type: array 1222 items: 1223 type: string 1224 matchLabels: 1225 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 1226 type: object 1227 additionalProperties: 1228 type: string 1229 namespaceSelector: 1230 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. 1231 type: object 1232 properties: 1233 matchExpressions: 1234 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 1235 type: array 1236 items: 1237 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1238 type: object 1239 required: 1240 - key 1241 - operator 1242 properties: 1243 key: 1244 description: key is the label key that the selector applies to. 1245 type: string 1246 operator: 1247 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 1248 type: string 1249 values: 1250 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 1251 type: array 1252 items: 1253 type: string 1254 matchLabels: 1255 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 1256 type: object 1257 additionalProperties: 1258 type: string 1259 namespaces: 1260 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". 1261 type: array 1262 items: 1263 type: string 1264 topologyKey: 1265 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 1266 type: string 1267 weight: 1268 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. 1269 type: integer 1270 format: int32 1271 requiredDuringSchedulingIgnoredDuringExecution: 1272 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. 1273 type: array 1274 items: 1275 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running 1276 type: object 1277 required: 1278 - topologyKey 1279 properties: 1280 labelSelector: 1281 description: A label query over a set of resources, in this case pods. 1282 type: object 1283 properties: 1284 matchExpressions: 1285 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 1286 type: array 1287 items: 1288 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1289 type: object 1290 required: 1291 - key 1292 - operator 1293 properties: 1294 key: 1295 description: key is the label key that the selector applies to. 1296 type: string 1297 operator: 1298 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 1299 type: string 1300 values: 1301 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 1302 type: array 1303 items: 1304 type: string 1305 matchLabels: 1306 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 1307 type: object 1308 additionalProperties: 1309 type: string 1310 namespaceSelector: 1311 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. 1312 type: object 1313 properties: 1314 matchExpressions: 1315 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 1316 type: array 1317 items: 1318 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1319 type: object 1320 required: 1321 - key 1322 - operator 1323 properties: 1324 key: 1325 description: key is the label key that the selector applies to. 1326 type: string 1327 operator: 1328 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 1329 type: string 1330 values: 1331 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 1332 type: array 1333 items: 1334 type: string 1335 matchLabels: 1336 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 1337 type: object 1338 additionalProperties: 1339 type: string 1340 namespaces: 1341 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". 1342 type: array 1343 items: 1344 type: string 1345 topologyKey: 1346 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 1347 type: string 1348 podAntiAffinity: 1349 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). 1350 type: object 1351 properties: 1352 preferredDuringSchedulingIgnoredDuringExecution: 1353 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. 1354 type: array 1355 items: 1356 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 1357 type: object 1358 required: 1359 - podAffinityTerm 1360 - weight 1361 properties: 1362 podAffinityTerm: 1363 description: Required. A pod affinity term, associated with the corresponding weight. 1364 type: object 1365 required: 1366 - topologyKey 1367 properties: 1368 labelSelector: 1369 description: A label query over a set of resources, in this case pods. 1370 type: object 1371 properties: 1372 matchExpressions: 1373 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 1374 type: array 1375 items: 1376 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1377 type: object 1378 required: 1379 - key 1380 - operator 1381 properties: 1382 key: 1383 description: key is the label key that the selector applies to. 1384 type: string 1385 operator: 1386 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 1387 type: string 1388 values: 1389 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 1390 type: array 1391 items: 1392 type: string 1393 matchLabels: 1394 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 1395 type: object 1396 additionalProperties: 1397 type: string 1398 namespaceSelector: 1399 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. 1400 type: object 1401 properties: 1402 matchExpressions: 1403 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 1404 type: array 1405 items: 1406 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1407 type: object 1408 required: 1409 - key 1410 - operator 1411 properties: 1412 key: 1413 description: key is the label key that the selector applies to. 1414 type: string 1415 operator: 1416 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 1417 type: string 1418 values: 1419 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 1420 type: array 1421 items: 1422 type: string 1423 matchLabels: 1424 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 1425 type: object 1426 additionalProperties: 1427 type: string 1428 namespaces: 1429 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". 1430 type: array 1431 items: 1432 type: string 1433 topologyKey: 1434 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 1435 type: string 1436 weight: 1437 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. 1438 type: integer 1439 format: int32 1440 requiredDuringSchedulingIgnoredDuringExecution: 1441 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. 1442 type: array 1443 items: 1444 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running 1445 type: object 1446 required: 1447 - topologyKey 1448 properties: 1449 labelSelector: 1450 description: A label query over a set of resources, in this case pods. 1451 type: object 1452 properties: 1453 matchExpressions: 1454 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 1455 type: array 1456 items: 1457 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1458 type: object 1459 required: 1460 - key 1461 - operator 1462 properties: 1463 key: 1464 description: key is the label key that the selector applies to. 1465 type: string 1466 operator: 1467 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 1468 type: string 1469 values: 1470 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 1471 type: array 1472 items: 1473 type: string 1474 matchLabels: 1475 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 1476 type: object 1477 additionalProperties: 1478 type: string 1479 namespaceSelector: 1480 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. 1481 type: object 1482 properties: 1483 matchExpressions: 1484 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 1485 type: array 1486 items: 1487 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1488 type: object 1489 required: 1490 - key 1491 - operator 1492 properties: 1493 key: 1494 description: key is the label key that the selector applies to. 1495 type: string 1496 operator: 1497 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 1498 type: string 1499 values: 1500 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 1501 type: array 1502 items: 1503 type: string 1504 matchLabels: 1505 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 1506 type: object 1507 additionalProperties: 1508 type: string 1509 namespaces: 1510 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". 1511 type: array 1512 items: 1513 type: string 1514 topologyKey: 1515 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 1516 type: string 1517 nodeSelector: 1518 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' 1519 type: object 1520 additionalProperties: 1521 type: string 1522 priorityClassName: 1523 description: If specified, the pod's priorityClassName. 1524 type: string 1525 serviceAccountName: 1526 description: If specified, the pod's service account 1527 type: string 1528 tolerations: 1529 description: If specified, the pod's tolerations. 1530 type: array 1531 items: 1532 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>. 1533 type: object 1534 properties: 1535 effect: 1536 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. 1537 type: string 1538 key: 1539 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. 1540 type: string 1541 operator: 1542 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. 1543 type: string 1544 tolerationSeconds: 1545 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. 1546 type: integer 1547 format: int64 1548 value: 1549 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. 1550 type: string 1551 serviceType: 1552 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. 1553 type: string 1554 selector: 1555 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. 1556 type: object 1557 properties: 1558 dnsNames: 1559 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. 1560 type: array 1561 items: 1562 type: string 1563 dnsZones: 1564 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. 1565 type: array 1566 items: 1567 type: string 1568 matchLabels: 1569 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. 1570 type: object 1571 additionalProperties: 1572 type: string 1573 token: 1574 description: The ACME challenge token for this challenge. This is the raw value returned from the ACME server. 1575 type: string 1576 type: 1577 description: The type of ACME challenge this resource represents. One of "HTTP-01" or "DNS-01". 1578 type: string 1579 enum: 1580 - HTTP-01 1581 - DNS-01 1582 url: 1583 description: The URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge. 1584 type: string 1585 wildcard: 1586 description: wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'. 1587 type: boolean 1588 status: 1589 type: object 1590 properties: 1591 presented: 1592 description: presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured). 1593 type: boolean 1594 processing: 1595 description: Used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action. 1596 type: boolean 1597 reason: 1598 description: Contains human readable information on why the Challenge is in the current state. 1599 type: string 1600 state: 1601 description: Contains the current 'state' of the challenge. If not set, the state of the challenge is unknown. 1602 type: string 1603 enum: 1604 - valid 1605 - ready 1606 - pending 1607 - processing 1608 - invalid 1609 - expired 1610 - errored 1611 served: true 1612 storage: true 1613 subresources: 1614 status: {} 1615 --- 1616 apiVersion: apiextensions.k8s.io/v1 1617 kind: CustomResourceDefinition 1618 metadata: 1619 name: clusterissuers.cert-manager.io 1620 labels: 1621 app: '{{ template "cert-manager.name" . }}' 1622 app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' 1623 app.kubernetes.io/instance: '{{ .Release.Name }}' 1624 # Generated labels {{- include "labels" . | nindent 4 }} 1625 spec: 1626 group: cert-manager.io 1627 names: 1628 kind: ClusterIssuer 1629 listKind: ClusterIssuerList 1630 plural: clusterissuers 1631 singular: clusterissuer 1632 categories: 1633 - cert-manager 1634 scope: Cluster 1635 versions: 1636 - name: v1 1637 subresources: 1638 status: {} 1639 additionalPrinterColumns: 1640 - jsonPath: .status.conditions[?(@.type=="Ready")].status 1641 name: Ready 1642 type: string 1643 - jsonPath: .status.conditions[?(@.type=="Ready")].message 1644 name: Status 1645 priority: 1 1646 type: string 1647 - jsonPath: .metadata.creationTimestamp 1648 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 1649 name: Age 1650 type: date 1651 schema: 1652 openAPIV3Schema: 1653 description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent. 1654 type: object 1655 required: 1656 - spec 1657 properties: 1658 apiVersion: 1659 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 1660 type: string 1661 kind: 1662 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 1663 type: string 1664 metadata: 1665 type: object 1666 spec: 1667 description: Desired state of the ClusterIssuer resource. 1668 type: object 1669 properties: 1670 acme: 1671 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates. 1672 type: object 1673 required: 1674 - privateKeySecretRef 1675 - server 1676 properties: 1677 disableAccountKeyGeneration: 1678 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false. 1679 type: boolean 1680 email: 1681 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. 1682 type: string 1683 enableDurationFeature: 1684 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. 1685 type: boolean 1686 externalAccountBinding: 1687 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. 1688 type: object 1689 required: 1690 - keyID 1691 - keySecretRef 1692 properties: 1693 keyAlgorithm: 1694 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.' 1695 type: string 1696 enum: 1697 - HS256 1698 - HS384 1699 - HS512 1700 keyID: 1701 description: keyID is the ID of the CA key that the External Account is bound to. 1702 type: string 1703 keySecretRef: 1704 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data. 1705 type: object 1706 required: 1707 - name 1708 properties: 1709 key: 1710 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1711 type: string 1712 name: 1713 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1714 type: string 1715 preferredChain: 1716 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN' 1717 type: string 1718 maxLength: 64 1719 privateKeySecretRef: 1720 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used. 1721 type: object 1722 required: 1723 - name 1724 properties: 1725 key: 1726 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1727 type: string 1728 name: 1729 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1730 type: string 1731 server: 1732 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' 1733 type: string 1734 skipTLSVerify: 1735 description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false. 1736 type: boolean 1737 solvers: 1738 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' 1739 type: array 1740 items: 1741 description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided. 1742 type: object 1743 properties: 1744 dns01: 1745 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. 1746 type: object 1747 properties: 1748 acmeDNS: 1749 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. 1750 type: object 1751 required: 1752 - accountSecretRef 1753 - host 1754 properties: 1755 accountSecretRef: 1756 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 1757 type: object 1758 required: 1759 - name 1760 properties: 1761 key: 1762 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1763 type: string 1764 name: 1765 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1766 type: string 1767 host: 1768 type: string 1769 akamai: 1770 description: Use the Akamai DNS zone management API to manage DNS01 challenge records. 1771 type: object 1772 required: 1773 - accessTokenSecretRef 1774 - clientSecretSecretRef 1775 - clientTokenSecretRef 1776 - serviceConsumerDomain 1777 properties: 1778 accessTokenSecretRef: 1779 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 1780 type: object 1781 required: 1782 - name 1783 properties: 1784 key: 1785 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1786 type: string 1787 name: 1788 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1789 type: string 1790 clientSecretSecretRef: 1791 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 1792 type: object 1793 required: 1794 - name 1795 properties: 1796 key: 1797 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1798 type: string 1799 name: 1800 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1801 type: string 1802 clientTokenSecretRef: 1803 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 1804 type: object 1805 required: 1806 - name 1807 properties: 1808 key: 1809 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1810 type: string 1811 name: 1812 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1813 type: string 1814 serviceConsumerDomain: 1815 type: string 1816 azureDNS: 1817 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. 1818 type: object 1819 required: 1820 - resourceGroupName 1821 - subscriptionID 1822 properties: 1823 clientID: 1824 description: if both this and ClientSecret are left unset MSI will be used 1825 type: string 1826 clientSecretSecretRef: 1827 description: if both this and ClientID are left unset MSI will be used 1828 type: object 1829 required: 1830 - name 1831 properties: 1832 key: 1833 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1834 type: string 1835 name: 1836 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1837 type: string 1838 environment: 1839 description: name of the Azure environment (default AzurePublicCloud) 1840 type: string 1841 enum: 1842 - AzurePublicCloud 1843 - AzureChinaCloud 1844 - AzureGermanCloud 1845 - AzureUSGovernmentCloud 1846 hostedZoneName: 1847 description: name of the DNS zone that should be used 1848 type: string 1849 managedIdentity: 1850 description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID 1851 type: object 1852 properties: 1853 clientID: 1854 description: client ID of the managed identity, can not be used at the same time as resourceID 1855 type: string 1856 resourceID: 1857 description: resource ID of the managed identity, can not be used at the same time as clientID 1858 type: string 1859 resourceGroupName: 1860 description: resource group the DNS zone is located in 1861 type: string 1862 subscriptionID: 1863 description: ID of the Azure subscription 1864 type: string 1865 tenantID: 1866 description: when specifying ClientID and ClientSecret then this field is also needed 1867 type: string 1868 cloudDNS: 1869 description: Use the Google Cloud DNS API to manage DNS01 challenge records. 1870 type: object 1871 required: 1872 - project 1873 properties: 1874 hostedZoneName: 1875 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. 1876 type: string 1877 project: 1878 type: string 1879 serviceAccountSecretRef: 1880 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 1881 type: object 1882 required: 1883 - name 1884 properties: 1885 key: 1886 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1887 type: string 1888 name: 1889 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1890 type: string 1891 cloudflare: 1892 description: Use the Cloudflare API to manage DNS01 challenge records. 1893 type: object 1894 properties: 1895 apiKeySecretRef: 1896 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' 1897 type: object 1898 required: 1899 - name 1900 properties: 1901 key: 1902 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1903 type: string 1904 name: 1905 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1906 type: string 1907 apiTokenSecretRef: 1908 description: API token used to authenticate with Cloudflare. 1909 type: object 1910 required: 1911 - name 1912 properties: 1913 key: 1914 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1915 type: string 1916 name: 1917 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1918 type: string 1919 email: 1920 description: Email of the account, only required when using API key based authentication. 1921 type: string 1922 cnameStrategy: 1923 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. 1924 type: string 1925 enum: 1926 - None 1927 - Follow 1928 digitalocean: 1929 description: Use the DigitalOcean DNS API to manage DNS01 challenge records. 1930 type: object 1931 required: 1932 - tokenSecretRef 1933 properties: 1934 tokenSecretRef: 1935 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 1936 type: object 1937 required: 1938 - name 1939 properties: 1940 key: 1941 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1942 type: string 1943 name: 1944 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1945 type: string 1946 rfc2136: 1947 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. 1948 type: object 1949 required: 1950 - nameserver 1951 properties: 1952 nameserver: 1953 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required. 1954 type: string 1955 tsigAlgorithm: 1956 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' 1957 type: string 1958 tsigKeyName: 1959 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. 1960 type: string 1961 tsigSecretSecretRef: 1962 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. 1963 type: object 1964 required: 1965 - name 1966 properties: 1967 key: 1968 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1969 type: string 1970 name: 1971 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1972 type: string 1973 route53: 1974 description: Use the AWS Route53 API to manage DNS01 challenge records. 1975 type: object 1976 required: 1977 - region 1978 properties: 1979 accessKeyID: 1980 description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' 1981 type: string 1982 accessKeyIDSecretRef: 1983 description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' 1984 type: object 1985 required: 1986 - name 1987 properties: 1988 key: 1989 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1990 type: string 1991 name: 1992 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1993 type: string 1994 hostedZoneID: 1995 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. 1996 type: string 1997 region: 1998 description: Always set the region when using AccessKeyID and SecretAccessKey 1999 type: string 2000 role: 2001 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata 2002 type: string 2003 secretAccessKeySecretRef: 2004 description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' 2005 type: object 2006 required: 2007 - name 2008 properties: 2009 key: 2010 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 2011 type: string 2012 name: 2013 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 2014 type: string 2015 webhook: 2016 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. 2017 type: object 2018 required: 2019 - groupName 2020 - solverName 2021 properties: 2022 config: 2023 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. 2024 x-kubernetes-preserve-unknown-fields: true 2025 groupName: 2026 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. 2027 type: string 2028 solverName: 2029 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. 2030 type: string 2031 http01: 2032 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. 2033 type: object 2034 properties: 2035 gatewayHTTPRoute: 2036 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. 2037 type: object 2038 properties: 2039 labels: 2040 description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges. 2041 type: object 2042 additionalProperties: 2043 type: string 2044 parentRefs: 2045 description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways' 2046 type: array 2047 items: 2048 description: "ParentRef identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object." 2049 type: object 2050 required: 2051 - name 2052 properties: 2053 group: 2054 description: "Group is the group of the referent. \n Support: Core" 2055 type: string 2056 default: gateway.networking.k8s.io 2057 maxLength: 253 2058 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 2059 kind: 2060 description: "Kind is kind of the referent. \n Support: Core (Gateway) Support: Custom (Other Resources)" 2061 type: string 2062 default: Gateway 2063 maxLength: 63 2064 minLength: 1 2065 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 2066 name: 2067 description: "Name is the name of the referent. \n Support: Core" 2068 type: string 2069 maxLength: 253 2070 minLength: 1 2071 namespace: 2072 description: "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core" 2073 type: string 2074 maxLength: 63 2075 minLength: 1 2076 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 2077 sectionName: 2078 description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" 2079 type: string 2080 maxLength: 253 2081 minLength: 1 2082 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 2083 serviceType: 2084 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. 2085 type: string 2086 ingress: 2087 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. 2088 type: object 2089 properties: 2090 class: 2091 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified. 2092 type: string 2093 ingressTemplate: 2094 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. 2095 type: object 2096 properties: 2097 metadata: 2098 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. 2099 type: object 2100 properties: 2101 annotations: 2102 description: Annotations that should be added to the created ACME HTTP01 solver ingress. 2103 type: object 2104 additionalProperties: 2105 type: string 2106 labels: 2107 description: Labels that should be added to the created ACME HTTP01 solver ingress. 2108 type: object 2109 additionalProperties: 2110 type: string 2111 name: 2112 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. 2113 type: string 2114 podTemplate: 2115 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. 2116 type: object 2117 properties: 2118 metadata: 2119 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. 2120 type: object 2121 properties: 2122 annotations: 2123 description: Annotations that should be added to the create ACME HTTP01 solver pods. 2124 type: object 2125 additionalProperties: 2126 type: string 2127 labels: 2128 description: Labels that should be added to the created ACME HTTP01 solver pods. 2129 type: object 2130 additionalProperties: 2131 type: string 2132 spec: 2133 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored. 2134 type: object 2135 properties: 2136 affinity: 2137 description: If specified, the pod's scheduling constraints 2138 type: object 2139 properties: 2140 nodeAffinity: 2141 description: Describes node affinity scheduling rules for the pod. 2142 type: object 2143 properties: 2144 preferredDuringSchedulingIgnoredDuringExecution: 2145 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. 2146 type: array 2147 items: 2148 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). 2149 type: object 2150 required: 2151 - preference 2152 - weight 2153 properties: 2154 preference: 2155 description: A node selector term, associated with the corresponding weight. 2156 type: object 2157 properties: 2158 matchExpressions: 2159 description: A list of node selector requirements by node's labels. 2160 type: array 2161 items: 2162 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2163 type: object 2164 required: 2165 - key 2166 - operator 2167 properties: 2168 key: 2169 description: The label key that the selector applies to. 2170 type: string 2171 operator: 2172 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 2173 type: string 2174 values: 2175 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 2176 type: array 2177 items: 2178 type: string 2179 matchFields: 2180 description: A list of node selector requirements by node's fields. 2181 type: array 2182 items: 2183 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2184 type: object 2185 required: 2186 - key 2187 - operator 2188 properties: 2189 key: 2190 description: The label key that the selector applies to. 2191 type: string 2192 operator: 2193 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 2194 type: string 2195 values: 2196 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 2197 type: array 2198 items: 2199 type: string 2200 weight: 2201 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. 2202 type: integer 2203 format: int32 2204 requiredDuringSchedulingIgnoredDuringExecution: 2205 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. 2206 type: object 2207 required: 2208 - nodeSelectorTerms 2209 properties: 2210 nodeSelectorTerms: 2211 description: Required. A list of node selector terms. The terms are ORed. 2212 type: array 2213 items: 2214 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. 2215 type: object 2216 properties: 2217 matchExpressions: 2218 description: A list of node selector requirements by node's labels. 2219 type: array 2220 items: 2221 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2222 type: object 2223 required: 2224 - key 2225 - operator 2226 properties: 2227 key: 2228 description: The label key that the selector applies to. 2229 type: string 2230 operator: 2231 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 2232 type: string 2233 values: 2234 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 2235 type: array 2236 items: 2237 type: string 2238 matchFields: 2239 description: A list of node selector requirements by node's fields. 2240 type: array 2241 items: 2242 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2243 type: object 2244 required: 2245 - key 2246 - operator 2247 properties: 2248 key: 2249 description: The label key that the selector applies to. 2250 type: string 2251 operator: 2252 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 2253 type: string 2254 values: 2255 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 2256 type: array 2257 items: 2258 type: string 2259 podAffinity: 2260 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). 2261 type: object 2262 properties: 2263 preferredDuringSchedulingIgnoredDuringExecution: 2264 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. 2265 type: array 2266 items: 2267 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 2268 type: object 2269 required: 2270 - podAffinityTerm 2271 - weight 2272 properties: 2273 podAffinityTerm: 2274 description: Required. A pod affinity term, associated with the corresponding weight. 2275 type: object 2276 required: 2277 - topologyKey 2278 properties: 2279 labelSelector: 2280 description: A label query over a set of resources, in this case pods. 2281 type: object 2282 properties: 2283 matchExpressions: 2284 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2285 type: array 2286 items: 2287 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2288 type: object 2289 required: 2290 - key 2291 - operator 2292 properties: 2293 key: 2294 description: key is the label key that the selector applies to. 2295 type: string 2296 operator: 2297 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 2298 type: string 2299 values: 2300 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 2301 type: array 2302 items: 2303 type: string 2304 matchLabels: 2305 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 2306 type: object 2307 additionalProperties: 2308 type: string 2309 namespaceSelector: 2310 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. 2311 type: object 2312 properties: 2313 matchExpressions: 2314 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2315 type: array 2316 items: 2317 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2318 type: object 2319 required: 2320 - key 2321 - operator 2322 properties: 2323 key: 2324 description: key is the label key that the selector applies to. 2325 type: string 2326 operator: 2327 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 2328 type: string 2329 values: 2330 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 2331 type: array 2332 items: 2333 type: string 2334 matchLabels: 2335 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 2336 type: object 2337 additionalProperties: 2338 type: string 2339 namespaces: 2340 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". 2341 type: array 2342 items: 2343 type: string 2344 topologyKey: 2345 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 2346 type: string 2347 weight: 2348 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. 2349 type: integer 2350 format: int32 2351 requiredDuringSchedulingIgnoredDuringExecution: 2352 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. 2353 type: array 2354 items: 2355 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running 2356 type: object 2357 required: 2358 - topologyKey 2359 properties: 2360 labelSelector: 2361 description: A label query over a set of resources, in this case pods. 2362 type: object 2363 properties: 2364 matchExpressions: 2365 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2366 type: array 2367 items: 2368 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2369 type: object 2370 required: 2371 - key 2372 - operator 2373 properties: 2374 key: 2375 description: key is the label key that the selector applies to. 2376 type: string 2377 operator: 2378 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 2379 type: string 2380 values: 2381 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 2382 type: array 2383 items: 2384 type: string 2385 matchLabels: 2386 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 2387 type: object 2388 additionalProperties: 2389 type: string 2390 namespaceSelector: 2391 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. 2392 type: object 2393 properties: 2394 matchExpressions: 2395 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2396 type: array 2397 items: 2398 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2399 type: object 2400 required: 2401 - key 2402 - operator 2403 properties: 2404 key: 2405 description: key is the label key that the selector applies to. 2406 type: string 2407 operator: 2408 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 2409 type: string 2410 values: 2411 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 2412 type: array 2413 items: 2414 type: string 2415 matchLabels: 2416 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 2417 type: object 2418 additionalProperties: 2419 type: string 2420 namespaces: 2421 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". 2422 type: array 2423 items: 2424 type: string 2425 topologyKey: 2426 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 2427 type: string 2428 podAntiAffinity: 2429 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). 2430 type: object 2431 properties: 2432 preferredDuringSchedulingIgnoredDuringExecution: 2433 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. 2434 type: array 2435 items: 2436 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 2437 type: object 2438 required: 2439 - podAffinityTerm 2440 - weight 2441 properties: 2442 podAffinityTerm: 2443 description: Required. A pod affinity term, associated with the corresponding weight. 2444 type: object 2445 required: 2446 - topologyKey 2447 properties: 2448 labelSelector: 2449 description: A label query over a set of resources, in this case pods. 2450 type: object 2451 properties: 2452 matchExpressions: 2453 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2454 type: array 2455 items: 2456 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2457 type: object 2458 required: 2459 - key 2460 - operator 2461 properties: 2462 key: 2463 description: key is the label key that the selector applies to. 2464 type: string 2465 operator: 2466 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 2467 type: string 2468 values: 2469 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 2470 type: array 2471 items: 2472 type: string 2473 matchLabels: 2474 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 2475 type: object 2476 additionalProperties: 2477 type: string 2478 namespaceSelector: 2479 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. 2480 type: object 2481 properties: 2482 matchExpressions: 2483 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2484 type: array 2485 items: 2486 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2487 type: object 2488 required: 2489 - key 2490 - operator 2491 properties: 2492 key: 2493 description: key is the label key that the selector applies to. 2494 type: string 2495 operator: 2496 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 2497 type: string 2498 values: 2499 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 2500 type: array 2501 items: 2502 type: string 2503 matchLabels: 2504 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 2505 type: object 2506 additionalProperties: 2507 type: string 2508 namespaces: 2509 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". 2510 type: array 2511 items: 2512 type: string 2513 topologyKey: 2514 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 2515 type: string 2516 weight: 2517 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. 2518 type: integer 2519 format: int32 2520 requiredDuringSchedulingIgnoredDuringExecution: 2521 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. 2522 type: array 2523 items: 2524 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running 2525 type: object 2526 required: 2527 - topologyKey 2528 properties: 2529 labelSelector: 2530 description: A label query over a set of resources, in this case pods. 2531 type: object 2532 properties: 2533 matchExpressions: 2534 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2535 type: array 2536 items: 2537 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2538 type: object 2539 required: 2540 - key 2541 - operator 2542 properties: 2543 key: 2544 description: key is the label key that the selector applies to. 2545 type: string 2546 operator: 2547 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 2548 type: string 2549 values: 2550 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 2551 type: array 2552 items: 2553 type: string 2554 matchLabels: 2555 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 2556 type: object 2557 additionalProperties: 2558 type: string 2559 namespaceSelector: 2560 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. 2561 type: object 2562 properties: 2563 matchExpressions: 2564 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2565 type: array 2566 items: 2567 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2568 type: object 2569 required: 2570 - key 2571 - operator 2572 properties: 2573 key: 2574 description: key is the label key that the selector applies to. 2575 type: string 2576 operator: 2577 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 2578 type: string 2579 values: 2580 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 2581 type: array 2582 items: 2583 type: string 2584 matchLabels: 2585 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 2586 type: object 2587 additionalProperties: 2588 type: string 2589 namespaces: 2590 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". 2591 type: array 2592 items: 2593 type: string 2594 topologyKey: 2595 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 2596 type: string 2597 nodeSelector: 2598 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' 2599 type: object 2600 additionalProperties: 2601 type: string 2602 priorityClassName: 2603 description: If specified, the pod's priorityClassName. 2604 type: string 2605 serviceAccountName: 2606 description: If specified, the pod's service account 2607 type: string 2608 tolerations: 2609 description: If specified, the pod's tolerations. 2610 type: array 2611 items: 2612 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>. 2613 type: object 2614 properties: 2615 effect: 2616 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. 2617 type: string 2618 key: 2619 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. 2620 type: string 2621 operator: 2622 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. 2623 type: string 2624 tolerationSeconds: 2625 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. 2626 type: integer 2627 format: int64 2628 value: 2629 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. 2630 type: string 2631 serviceType: 2632 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. 2633 type: string 2634 selector: 2635 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. 2636 type: object 2637 properties: 2638 dnsNames: 2639 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. 2640 type: array 2641 items: 2642 type: string 2643 dnsZones: 2644 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. 2645 type: array 2646 items: 2647 type: string 2648 matchLabels: 2649 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. 2650 type: object 2651 additionalProperties: 2652 type: string 2653 ca: 2654 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager. 2655 type: object 2656 required: 2657 - secretName 2658 properties: 2659 crlDistributionPoints: 2660 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set. 2661 type: array 2662 items: 2663 type: string 2664 ocspServers: 2665 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". 2666 type: array 2667 items: 2668 type: string 2669 secretName: 2670 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer. 2671 type: string 2672 selfSigned: 2673 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object. 2674 type: object 2675 properties: 2676 crlDistributionPoints: 2677 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings. 2678 type: array 2679 items: 2680 type: string 2681 vault: 2682 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend. 2683 type: object 2684 required: 2685 - auth 2686 - path 2687 - server 2688 properties: 2689 auth: 2690 description: Auth configures how cert-manager authenticates with the Vault server. 2691 type: object 2692 properties: 2693 appRole: 2694 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. 2695 type: object 2696 required: 2697 - path 2698 - roleId 2699 - secretRef 2700 properties: 2701 path: 2702 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' 2703 type: string 2704 roleId: 2705 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. 2706 type: string 2707 secretRef: 2708 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. 2709 type: object 2710 required: 2711 - name 2712 properties: 2713 key: 2714 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 2715 type: string 2716 name: 2717 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 2718 type: string 2719 kubernetes: 2720 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. 2721 type: object 2722 required: 2723 - role 2724 - secretRef 2725 properties: 2726 mountPath: 2727 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used. 2728 type: string 2729 role: 2730 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. 2731 type: string 2732 secretRef: 2733 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported. 2734 type: object 2735 required: 2736 - name 2737 properties: 2738 key: 2739 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 2740 type: string 2741 name: 2742 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 2743 type: string 2744 tokenSecretRef: 2745 description: TokenSecretRef authenticates with Vault by presenting a token. 2746 type: object 2747 required: 2748 - name 2749 properties: 2750 key: 2751 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 2752 type: string 2753 name: 2754 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 2755 type: string 2756 caBundle: 2757 description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. 2758 type: string 2759 format: byte 2760 namespace: 2761 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' 2762 type: string 2763 path: 2764 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' 2765 type: string 2766 server: 2767 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' 2768 type: string 2769 venafi: 2770 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone. 2771 type: object 2772 required: 2773 - zone 2774 properties: 2775 cloud: 2776 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified. 2777 type: object 2778 required: 2779 - apiTokenSecretRef 2780 properties: 2781 apiTokenSecretRef: 2782 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. 2783 type: object 2784 required: 2785 - name 2786 properties: 2787 key: 2788 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 2789 type: string 2790 name: 2791 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 2792 type: string 2793 url: 2794 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1". 2795 type: string 2796 tpp: 2797 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified. 2798 type: object 2799 required: 2800 - credentialsRef 2801 - url 2802 properties: 2803 caBundle: 2804 description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates. 2805 type: string 2806 format: byte 2807 credentialsRef: 2808 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'. 2809 type: object 2810 required: 2811 - name 2812 properties: 2813 name: 2814 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 2815 type: string 2816 url: 2817 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' 2818 type: string 2819 zone: 2820 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required. 2821 type: string 2822 status: 2823 description: Status of the ClusterIssuer. This is set and managed automatically. 2824 type: object 2825 properties: 2826 acme: 2827 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates. 2828 type: object 2829 properties: 2830 lastRegisteredEmail: 2831 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer 2832 type: string 2833 uri: 2834 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA 2835 type: string 2836 conditions: 2837 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`. 2838 type: array 2839 items: 2840 description: IssuerCondition contains condition information for an Issuer. 2841 type: object 2842 required: 2843 - status 2844 - type 2845 properties: 2846 lastTransitionTime: 2847 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. 2848 type: string 2849 format: date-time 2850 message: 2851 description: Message is a human readable description of the details of the last transition, complementing reason. 2852 type: string 2853 observedGeneration: 2854 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer. 2855 type: integer 2856 format: int64 2857 reason: 2858 description: Reason is a brief machine readable explanation for the condition's last transition. 2859 type: string 2860 status: 2861 description: Status of the condition, one of (`True`, `False`, `Unknown`). 2862 type: string 2863 enum: 2864 - "True" 2865 - "False" 2866 - Unknown 2867 type: 2868 description: Type of the condition, known values are (`Ready`). 2869 type: string 2870 x-kubernetes-list-map-keys: 2871 - type 2872 x-kubernetes-list-type: map 2873 served: true 2874 storage: true 2875 --- 2876 apiVersion: apiextensions.k8s.io/v1 2877 kind: CustomResourceDefinition 2878 metadata: 2879 name: issuers.cert-manager.io 2880 labels: 2881 app: '{{ template "cert-manager.name" . }}' 2882 app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' 2883 app.kubernetes.io/instance: '{{ .Release.Name }}' 2884 # Generated labels {{- include "labels" . | nindent 4 }} 2885 spec: 2886 group: cert-manager.io 2887 names: 2888 kind: Issuer 2889 listKind: IssuerList 2890 plural: issuers 2891 singular: issuer 2892 categories: 2893 - cert-manager 2894 scope: Namespaced 2895 versions: 2896 - name: v1 2897 subresources: 2898 status: {} 2899 additionalPrinterColumns: 2900 - jsonPath: .status.conditions[?(@.type=="Ready")].status 2901 name: Ready 2902 type: string 2903 - jsonPath: .status.conditions[?(@.type=="Ready")].message 2904 name: Status 2905 priority: 1 2906 type: string 2907 - jsonPath: .metadata.creationTimestamp 2908 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 2909 name: Age 2910 type: date 2911 schema: 2912 openAPIV3Schema: 2913 description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace. 2914 type: object 2915 required: 2916 - spec 2917 properties: 2918 apiVersion: 2919 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2920 type: string 2921 kind: 2922 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2923 type: string 2924 metadata: 2925 type: object 2926 spec: 2927 description: Desired state of the Issuer resource. 2928 type: object 2929 properties: 2930 acme: 2931 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates. 2932 type: object 2933 required: 2934 - privateKeySecretRef 2935 - server 2936 properties: 2937 disableAccountKeyGeneration: 2938 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false. 2939 type: boolean 2940 email: 2941 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. 2942 type: string 2943 enableDurationFeature: 2944 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. 2945 type: boolean 2946 externalAccountBinding: 2947 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. 2948 type: object 2949 required: 2950 - keyID 2951 - keySecretRef 2952 properties: 2953 keyAlgorithm: 2954 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.' 2955 type: string 2956 enum: 2957 - HS256 2958 - HS384 2959 - HS512 2960 keyID: 2961 description: keyID is the ID of the CA key that the External Account is bound to. 2962 type: string 2963 keySecretRef: 2964 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data. 2965 type: object 2966 required: 2967 - name 2968 properties: 2969 key: 2970 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 2971 type: string 2972 name: 2973 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 2974 type: string 2975 preferredChain: 2976 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN' 2977 type: string 2978 maxLength: 64 2979 privateKeySecretRef: 2980 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used. 2981 type: object 2982 required: 2983 - name 2984 properties: 2985 key: 2986 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 2987 type: string 2988 name: 2989 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 2990 type: string 2991 server: 2992 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' 2993 type: string 2994 skipTLSVerify: 2995 description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false. 2996 type: boolean 2997 solvers: 2998 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' 2999 type: array 3000 items: 3001 description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided. 3002 type: object 3003 properties: 3004 dns01: 3005 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. 3006 type: object 3007 properties: 3008 acmeDNS: 3009 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. 3010 type: object 3011 required: 3012 - accountSecretRef 3013 - host 3014 properties: 3015 accountSecretRef: 3016 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 3017 type: object 3018 required: 3019 - name 3020 properties: 3021 key: 3022 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3023 type: string 3024 name: 3025 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3026 type: string 3027 host: 3028 type: string 3029 akamai: 3030 description: Use the Akamai DNS zone management API to manage DNS01 challenge records. 3031 type: object 3032 required: 3033 - accessTokenSecretRef 3034 - clientSecretSecretRef 3035 - clientTokenSecretRef 3036 - serviceConsumerDomain 3037 properties: 3038 accessTokenSecretRef: 3039 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 3040 type: object 3041 required: 3042 - name 3043 properties: 3044 key: 3045 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3046 type: string 3047 name: 3048 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3049 type: string 3050 clientSecretSecretRef: 3051 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 3052 type: object 3053 required: 3054 - name 3055 properties: 3056 key: 3057 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3058 type: string 3059 name: 3060 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3061 type: string 3062 clientTokenSecretRef: 3063 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 3064 type: object 3065 required: 3066 - name 3067 properties: 3068 key: 3069 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3070 type: string 3071 name: 3072 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3073 type: string 3074 serviceConsumerDomain: 3075 type: string 3076 azureDNS: 3077 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. 3078 type: object 3079 required: 3080 - resourceGroupName 3081 - subscriptionID 3082 properties: 3083 clientID: 3084 description: if both this and ClientSecret are left unset MSI will be used 3085 type: string 3086 clientSecretSecretRef: 3087 description: if both this and ClientID are left unset MSI will be used 3088 type: object 3089 required: 3090 - name 3091 properties: 3092 key: 3093 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3094 type: string 3095 name: 3096 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3097 type: string 3098 environment: 3099 description: name of the Azure environment (default AzurePublicCloud) 3100 type: string 3101 enum: 3102 - AzurePublicCloud 3103 - AzureChinaCloud 3104 - AzureGermanCloud 3105 - AzureUSGovernmentCloud 3106 hostedZoneName: 3107 description: name of the DNS zone that should be used 3108 type: string 3109 managedIdentity: 3110 description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID 3111 type: object 3112 properties: 3113 clientID: 3114 description: client ID of the managed identity, can not be used at the same time as resourceID 3115 type: string 3116 resourceID: 3117 description: resource ID of the managed identity, can not be used at the same time as clientID 3118 type: string 3119 resourceGroupName: 3120 description: resource group the DNS zone is located in 3121 type: string 3122 subscriptionID: 3123 description: ID of the Azure subscription 3124 type: string 3125 tenantID: 3126 description: when specifying ClientID and ClientSecret then this field is also needed 3127 type: string 3128 cloudDNS: 3129 description: Use the Google Cloud DNS API to manage DNS01 challenge records. 3130 type: object 3131 required: 3132 - project 3133 properties: 3134 hostedZoneName: 3135 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. 3136 type: string 3137 project: 3138 type: string 3139 serviceAccountSecretRef: 3140 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 3141 type: object 3142 required: 3143 - name 3144 properties: 3145 key: 3146 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3147 type: string 3148 name: 3149 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3150 type: string 3151 cloudflare: 3152 description: Use the Cloudflare API to manage DNS01 challenge records. 3153 type: object 3154 properties: 3155 apiKeySecretRef: 3156 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' 3157 type: object 3158 required: 3159 - name 3160 properties: 3161 key: 3162 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3163 type: string 3164 name: 3165 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3166 type: string 3167 apiTokenSecretRef: 3168 description: API token used to authenticate with Cloudflare. 3169 type: object 3170 required: 3171 - name 3172 properties: 3173 key: 3174 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3175 type: string 3176 name: 3177 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3178 type: string 3179 email: 3180 description: Email of the account, only required when using API key based authentication. 3181 type: string 3182 cnameStrategy: 3183 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. 3184 type: string 3185 enum: 3186 - None 3187 - Follow 3188 digitalocean: 3189 description: Use the DigitalOcean DNS API to manage DNS01 challenge records. 3190 type: object 3191 required: 3192 - tokenSecretRef 3193 properties: 3194 tokenSecretRef: 3195 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 3196 type: object 3197 required: 3198 - name 3199 properties: 3200 key: 3201 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3202 type: string 3203 name: 3204 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3205 type: string 3206 rfc2136: 3207 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. 3208 type: object 3209 required: 3210 - nameserver 3211 properties: 3212 nameserver: 3213 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required. 3214 type: string 3215 tsigAlgorithm: 3216 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' 3217 type: string 3218 tsigKeyName: 3219 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. 3220 type: string 3221 tsigSecretSecretRef: 3222 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. 3223 type: object 3224 required: 3225 - name 3226 properties: 3227 key: 3228 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3229 type: string 3230 name: 3231 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3232 type: string 3233 route53: 3234 description: Use the AWS Route53 API to manage DNS01 challenge records. 3235 type: object 3236 required: 3237 - region 3238 properties: 3239 accessKeyID: 3240 description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' 3241 type: string 3242 accessKeyIDSecretRef: 3243 description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' 3244 type: object 3245 required: 3246 - name 3247 properties: 3248 key: 3249 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3250 type: string 3251 name: 3252 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3253 type: string 3254 hostedZoneID: 3255 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. 3256 type: string 3257 region: 3258 description: Always set the region when using AccessKeyID and SecretAccessKey 3259 type: string 3260 role: 3261 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata 3262 type: string 3263 secretAccessKeySecretRef: 3264 description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' 3265 type: object 3266 required: 3267 - name 3268 properties: 3269 key: 3270 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3271 type: string 3272 name: 3273 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3274 type: string 3275 webhook: 3276 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. 3277 type: object 3278 required: 3279 - groupName 3280 - solverName 3281 properties: 3282 config: 3283 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. 3284 x-kubernetes-preserve-unknown-fields: true 3285 groupName: 3286 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. 3287 type: string 3288 solverName: 3289 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. 3290 type: string 3291 http01: 3292 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. 3293 type: object 3294 properties: 3295 gatewayHTTPRoute: 3296 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. 3297 type: object 3298 properties: 3299 labels: 3300 description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges. 3301 type: object 3302 additionalProperties: 3303 type: string 3304 parentRefs: 3305 description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways' 3306 type: array 3307 items: 3308 description: "ParentRef identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object." 3309 type: object 3310 required: 3311 - name 3312 properties: 3313 group: 3314 description: "Group is the group of the referent. \n Support: Core" 3315 type: string 3316 default: gateway.networking.k8s.io 3317 maxLength: 253 3318 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 3319 kind: 3320 description: "Kind is kind of the referent. \n Support: Core (Gateway) Support: Custom (Other Resources)" 3321 type: string 3322 default: Gateway 3323 maxLength: 63 3324 minLength: 1 3325 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 3326 name: 3327 description: "Name is the name of the referent. \n Support: Core" 3328 type: string 3329 maxLength: 253 3330 minLength: 1 3331 namespace: 3332 description: "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core" 3333 type: string 3334 maxLength: 63 3335 minLength: 1 3336 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 3337 sectionName: 3338 description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" 3339 type: string 3340 maxLength: 253 3341 minLength: 1 3342 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 3343 serviceType: 3344 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. 3345 type: string 3346 ingress: 3347 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. 3348 type: object 3349 properties: 3350 class: 3351 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified. 3352 type: string 3353 ingressTemplate: 3354 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. 3355 type: object 3356 properties: 3357 metadata: 3358 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. 3359 type: object 3360 properties: 3361 annotations: 3362 description: Annotations that should be added to the created ACME HTTP01 solver ingress. 3363 type: object 3364 additionalProperties: 3365 type: string 3366 labels: 3367 description: Labels that should be added to the created ACME HTTP01 solver ingress. 3368 type: object 3369 additionalProperties: 3370 type: string 3371 name: 3372 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. 3373 type: string 3374 podTemplate: 3375 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. 3376 type: object 3377 properties: 3378 metadata: 3379 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. 3380 type: object 3381 properties: 3382 annotations: 3383 description: Annotations that should be added to the create ACME HTTP01 solver pods. 3384 type: object 3385 additionalProperties: 3386 type: string 3387 labels: 3388 description: Labels that should be added to the created ACME HTTP01 solver pods. 3389 type: object 3390 additionalProperties: 3391 type: string 3392 spec: 3393 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored. 3394 type: object 3395 properties: 3396 affinity: 3397 description: If specified, the pod's scheduling constraints 3398 type: object 3399 properties: 3400 nodeAffinity: 3401 description: Describes node affinity scheduling rules for the pod. 3402 type: object 3403 properties: 3404 preferredDuringSchedulingIgnoredDuringExecution: 3405 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. 3406 type: array 3407 items: 3408 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). 3409 type: object 3410 required: 3411 - preference 3412 - weight 3413 properties: 3414 preference: 3415 description: A node selector term, associated with the corresponding weight. 3416 type: object 3417 properties: 3418 matchExpressions: 3419 description: A list of node selector requirements by node's labels. 3420 type: array 3421 items: 3422 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3423 type: object 3424 required: 3425 - key 3426 - operator 3427 properties: 3428 key: 3429 description: The label key that the selector applies to. 3430 type: string 3431 operator: 3432 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 3433 type: string 3434 values: 3435 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 3436 type: array 3437 items: 3438 type: string 3439 matchFields: 3440 description: A list of node selector requirements by node's fields. 3441 type: array 3442 items: 3443 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3444 type: object 3445 required: 3446 - key 3447 - operator 3448 properties: 3449 key: 3450 description: The label key that the selector applies to. 3451 type: string 3452 operator: 3453 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 3454 type: string 3455 values: 3456 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 3457 type: array 3458 items: 3459 type: string 3460 weight: 3461 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. 3462 type: integer 3463 format: int32 3464 requiredDuringSchedulingIgnoredDuringExecution: 3465 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. 3466 type: object 3467 required: 3468 - nodeSelectorTerms 3469 properties: 3470 nodeSelectorTerms: 3471 description: Required. A list of node selector terms. The terms are ORed. 3472 type: array 3473 items: 3474 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. 3475 type: object 3476 properties: 3477 matchExpressions: 3478 description: A list of node selector requirements by node's labels. 3479 type: array 3480 items: 3481 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3482 type: object 3483 required: 3484 - key 3485 - operator 3486 properties: 3487 key: 3488 description: The label key that the selector applies to. 3489 type: string 3490 operator: 3491 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 3492 type: string 3493 values: 3494 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 3495 type: array 3496 items: 3497 type: string 3498 matchFields: 3499 description: A list of node selector requirements by node's fields. 3500 type: array 3501 items: 3502 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3503 type: object 3504 required: 3505 - key 3506 - operator 3507 properties: 3508 key: 3509 description: The label key that the selector applies to. 3510 type: string 3511 operator: 3512 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 3513 type: string 3514 values: 3515 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 3516 type: array 3517 items: 3518 type: string 3519 podAffinity: 3520 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). 3521 type: object 3522 properties: 3523 preferredDuringSchedulingIgnoredDuringExecution: 3524 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. 3525 type: array 3526 items: 3527 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 3528 type: object 3529 required: 3530 - podAffinityTerm 3531 - weight 3532 properties: 3533 podAffinityTerm: 3534 description: Required. A pod affinity term, associated with the corresponding weight. 3535 type: object 3536 required: 3537 - topologyKey 3538 properties: 3539 labelSelector: 3540 description: A label query over a set of resources, in this case pods. 3541 type: object 3542 properties: 3543 matchExpressions: 3544 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3545 type: array 3546 items: 3547 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3548 type: object 3549 required: 3550 - key 3551 - operator 3552 properties: 3553 key: 3554 description: key is the label key that the selector applies to. 3555 type: string 3556 operator: 3557 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 3558 type: string 3559 values: 3560 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 3561 type: array 3562 items: 3563 type: string 3564 matchLabels: 3565 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 3566 type: object 3567 additionalProperties: 3568 type: string 3569 namespaceSelector: 3570 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. 3571 type: object 3572 properties: 3573 matchExpressions: 3574 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3575 type: array 3576 items: 3577 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3578 type: object 3579 required: 3580 - key 3581 - operator 3582 properties: 3583 key: 3584 description: key is the label key that the selector applies to. 3585 type: string 3586 operator: 3587 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 3588 type: string 3589 values: 3590 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 3591 type: array 3592 items: 3593 type: string 3594 matchLabels: 3595 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 3596 type: object 3597 additionalProperties: 3598 type: string 3599 namespaces: 3600 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". 3601 type: array 3602 items: 3603 type: string 3604 topologyKey: 3605 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 3606 type: string 3607 weight: 3608 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. 3609 type: integer 3610 format: int32 3611 requiredDuringSchedulingIgnoredDuringExecution: 3612 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. 3613 type: array 3614 items: 3615 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running 3616 type: object 3617 required: 3618 - topologyKey 3619 properties: 3620 labelSelector: 3621 description: A label query over a set of resources, in this case pods. 3622 type: object 3623 properties: 3624 matchExpressions: 3625 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3626 type: array 3627 items: 3628 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3629 type: object 3630 required: 3631 - key 3632 - operator 3633 properties: 3634 key: 3635 description: key is the label key that the selector applies to. 3636 type: string 3637 operator: 3638 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 3639 type: string 3640 values: 3641 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 3642 type: array 3643 items: 3644 type: string 3645 matchLabels: 3646 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 3647 type: object 3648 additionalProperties: 3649 type: string 3650 namespaceSelector: 3651 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. 3652 type: object 3653 properties: 3654 matchExpressions: 3655 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3656 type: array 3657 items: 3658 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3659 type: object 3660 required: 3661 - key 3662 - operator 3663 properties: 3664 key: 3665 description: key is the label key that the selector applies to. 3666 type: string 3667 operator: 3668 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 3669 type: string 3670 values: 3671 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 3672 type: array 3673 items: 3674 type: string 3675 matchLabels: 3676 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 3677 type: object 3678 additionalProperties: 3679 type: string 3680 namespaces: 3681 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". 3682 type: array 3683 items: 3684 type: string 3685 topologyKey: 3686 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 3687 type: string 3688 podAntiAffinity: 3689 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). 3690 type: object 3691 properties: 3692 preferredDuringSchedulingIgnoredDuringExecution: 3693 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. 3694 type: array 3695 items: 3696 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 3697 type: object 3698 required: 3699 - podAffinityTerm 3700 - weight 3701 properties: 3702 podAffinityTerm: 3703 description: Required. A pod affinity term, associated with the corresponding weight. 3704 type: object 3705 required: 3706 - topologyKey 3707 properties: 3708 labelSelector: 3709 description: A label query over a set of resources, in this case pods. 3710 type: object 3711 properties: 3712 matchExpressions: 3713 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3714 type: array 3715 items: 3716 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3717 type: object 3718 required: 3719 - key 3720 - operator 3721 properties: 3722 key: 3723 description: key is the label key that the selector applies to. 3724 type: string 3725 operator: 3726 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 3727 type: string 3728 values: 3729 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 3730 type: array 3731 items: 3732 type: string 3733 matchLabels: 3734 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 3735 type: object 3736 additionalProperties: 3737 type: string 3738 namespaceSelector: 3739 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. 3740 type: object 3741 properties: 3742 matchExpressions: 3743 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3744 type: array 3745 items: 3746 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3747 type: object 3748 required: 3749 - key 3750 - operator 3751 properties: 3752 key: 3753 description: key is the label key that the selector applies to. 3754 type: string 3755 operator: 3756 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 3757 type: string 3758 values: 3759 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 3760 type: array 3761 items: 3762 type: string 3763 matchLabels: 3764 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 3765 type: object 3766 additionalProperties: 3767 type: string 3768 namespaces: 3769 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". 3770 type: array 3771 items: 3772 type: string 3773 topologyKey: 3774 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 3775 type: string 3776 weight: 3777 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. 3778 type: integer 3779 format: int32 3780 requiredDuringSchedulingIgnoredDuringExecution: 3781 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. 3782 type: array 3783 items: 3784 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running 3785 type: object 3786 required: 3787 - topologyKey 3788 properties: 3789 labelSelector: 3790 description: A label query over a set of resources, in this case pods. 3791 type: object 3792 properties: 3793 matchExpressions: 3794 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3795 type: array 3796 items: 3797 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3798 type: object 3799 required: 3800 - key 3801 - operator 3802 properties: 3803 key: 3804 description: key is the label key that the selector applies to. 3805 type: string 3806 operator: 3807 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 3808 type: string 3809 values: 3810 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 3811 type: array 3812 items: 3813 type: string 3814 matchLabels: 3815 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 3816 type: object 3817 additionalProperties: 3818 type: string 3819 namespaceSelector: 3820 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. 3821 type: object 3822 properties: 3823 matchExpressions: 3824 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3825 type: array 3826 items: 3827 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3828 type: object 3829 required: 3830 - key 3831 - operator 3832 properties: 3833 key: 3834 description: key is the label key that the selector applies to. 3835 type: string 3836 operator: 3837 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 3838 type: string 3839 values: 3840 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 3841 type: array 3842 items: 3843 type: string 3844 matchLabels: 3845 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 3846 type: object 3847 additionalProperties: 3848 type: string 3849 namespaces: 3850 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". 3851 type: array 3852 items: 3853 type: string 3854 topologyKey: 3855 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 3856 type: string 3857 nodeSelector: 3858 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' 3859 type: object 3860 additionalProperties: 3861 type: string 3862 priorityClassName: 3863 description: If specified, the pod's priorityClassName. 3864 type: string 3865 serviceAccountName: 3866 description: If specified, the pod's service account 3867 type: string 3868 tolerations: 3869 description: If specified, the pod's tolerations. 3870 type: array 3871 items: 3872 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>. 3873 type: object 3874 properties: 3875 effect: 3876 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. 3877 type: string 3878 key: 3879 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. 3880 type: string 3881 operator: 3882 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. 3883 type: string 3884 tolerationSeconds: 3885 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. 3886 type: integer 3887 format: int64 3888 value: 3889 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. 3890 type: string 3891 serviceType: 3892 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. 3893 type: string 3894 selector: 3895 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. 3896 type: object 3897 properties: 3898 dnsNames: 3899 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. 3900 type: array 3901 items: 3902 type: string 3903 dnsZones: 3904 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. 3905 type: array 3906 items: 3907 type: string 3908 matchLabels: 3909 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. 3910 type: object 3911 additionalProperties: 3912 type: string 3913 ca: 3914 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager. 3915 type: object 3916 required: 3917 - secretName 3918 properties: 3919 crlDistributionPoints: 3920 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set. 3921 type: array 3922 items: 3923 type: string 3924 ocspServers: 3925 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". 3926 type: array 3927 items: 3928 type: string 3929 secretName: 3930 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer. 3931 type: string 3932 selfSigned: 3933 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object. 3934 type: object 3935 properties: 3936 crlDistributionPoints: 3937 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings. 3938 type: array 3939 items: 3940 type: string 3941 vault: 3942 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend. 3943 type: object 3944 required: 3945 - auth 3946 - path 3947 - server 3948 properties: 3949 auth: 3950 description: Auth configures how cert-manager authenticates with the Vault server. 3951 type: object 3952 properties: 3953 appRole: 3954 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. 3955 type: object 3956 required: 3957 - path 3958 - roleId 3959 - secretRef 3960 properties: 3961 path: 3962 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' 3963 type: string 3964 roleId: 3965 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. 3966 type: string 3967 secretRef: 3968 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. 3969 type: object 3970 required: 3971 - name 3972 properties: 3973 key: 3974 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3975 type: string 3976 name: 3977 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3978 type: string 3979 kubernetes: 3980 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. 3981 type: object 3982 required: 3983 - role 3984 - secretRef 3985 properties: 3986 mountPath: 3987 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used. 3988 type: string 3989 role: 3990 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. 3991 type: string 3992 secretRef: 3993 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported. 3994 type: object 3995 required: 3996 - name 3997 properties: 3998 key: 3999 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 4000 type: string 4001 name: 4002 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 4003 type: string 4004 tokenSecretRef: 4005 description: TokenSecretRef authenticates with Vault by presenting a token. 4006 type: object 4007 required: 4008 - name 4009 properties: 4010 key: 4011 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 4012 type: string 4013 name: 4014 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 4015 type: string 4016 caBundle: 4017 description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. 4018 type: string 4019 format: byte 4020 namespace: 4021 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' 4022 type: string 4023 path: 4024 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' 4025 type: string 4026 server: 4027 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' 4028 type: string 4029 venafi: 4030 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone. 4031 type: object 4032 required: 4033 - zone 4034 properties: 4035 cloud: 4036 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified. 4037 type: object 4038 required: 4039 - apiTokenSecretRef 4040 properties: 4041 apiTokenSecretRef: 4042 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. 4043 type: object 4044 required: 4045 - name 4046 properties: 4047 key: 4048 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 4049 type: string 4050 name: 4051 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 4052 type: string 4053 url: 4054 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1". 4055 type: string 4056 tpp: 4057 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified. 4058 type: object 4059 required: 4060 - credentialsRef 4061 - url 4062 properties: 4063 caBundle: 4064 description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates. 4065 type: string 4066 format: byte 4067 credentialsRef: 4068 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'. 4069 type: object 4070 required: 4071 - name 4072 properties: 4073 name: 4074 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 4075 type: string 4076 url: 4077 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' 4078 type: string 4079 zone: 4080 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required. 4081 type: string 4082 status: 4083 description: Status of the Issuer. This is set and managed automatically. 4084 type: object 4085 properties: 4086 acme: 4087 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates. 4088 type: object 4089 properties: 4090 lastRegisteredEmail: 4091 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer 4092 type: string 4093 uri: 4094 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA 4095 type: string 4096 conditions: 4097 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`. 4098 type: array 4099 items: 4100 description: IssuerCondition contains condition information for an Issuer. 4101 type: object 4102 required: 4103 - status 4104 - type 4105 properties: 4106 lastTransitionTime: 4107 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. 4108 type: string 4109 format: date-time 4110 message: 4111 description: Message is a human readable description of the details of the last transition, complementing reason. 4112 type: string 4113 observedGeneration: 4114 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer. 4115 type: integer 4116 format: int64 4117 reason: 4118 description: Reason is a brief machine readable explanation for the condition's last transition. 4119 type: string 4120 status: 4121 description: Status of the condition, one of (`True`, `False`, `Unknown`). 4122 type: string 4123 enum: 4124 - "True" 4125 - "False" 4126 - Unknown 4127 type: 4128 description: Type of the condition, known values are (`Ready`). 4129 type: string 4130 x-kubernetes-list-map-keys: 4131 - type 4132 x-kubernetes-list-type: map 4133 served: true 4134 storage: true 4135 --- 4136 apiVersion: apiextensions.k8s.io/v1 4137 kind: CustomResourceDefinition 4138 metadata: 4139 name: orders.acme.cert-manager.io 4140 labels: 4141 app: '{{ template "cert-manager.name" . }}' 4142 app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' 4143 app.kubernetes.io/instance: '{{ .Release.Name }}' 4144 # Generated labels {{- include "labels" . | nindent 4 }} 4145 spec: 4146 group: acme.cert-manager.io 4147 names: 4148 kind: Order 4149 listKind: OrderList 4150 plural: orders 4151 singular: order 4152 categories: 4153 - cert-manager 4154 - cert-manager-acme 4155 scope: Namespaced 4156 versions: 4157 - name: v1 4158 subresources: 4159 status: {} 4160 additionalPrinterColumns: 4161 - jsonPath: .status.state 4162 name: State 4163 type: string 4164 - jsonPath: .spec.issuerRef.name 4165 name: Issuer 4166 priority: 1 4167 type: string 4168 - jsonPath: .status.reason 4169 name: Reason 4170 priority: 1 4171 type: string 4172 - jsonPath: .metadata.creationTimestamp 4173 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 4174 name: Age 4175 type: date 4176 schema: 4177 openAPIV3Schema: 4178 description: Order is a type to represent an Order with an ACME server 4179 type: object 4180 required: 4181 - metadata 4182 - spec 4183 properties: 4184 apiVersion: 4185 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 4186 type: string 4187 kind: 4188 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 4189 type: string 4190 metadata: 4191 type: object 4192 spec: 4193 type: object 4194 required: 4195 - issuerRef 4196 - request 4197 properties: 4198 commonName: 4199 description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR. 4200 type: string 4201 dnsNames: 4202 description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR. 4203 type: array 4204 items: 4205 type: string 4206 duration: 4207 description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec. 4208 type: string 4209 ipAddresses: 4210 description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR. 4211 type: array 4212 items: 4213 type: string 4214 issuerRef: 4215 description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed. 4216 type: object 4217 required: 4218 - name 4219 properties: 4220 group: 4221 description: Group of the resource being referred to. 4222 type: string 4223 kind: 4224 description: Kind of the resource being referred to. 4225 type: string 4226 name: 4227 description: Name of the resource being referred to. 4228 type: string 4229 request: 4230 description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order. 4231 type: string 4232 format: byte 4233 status: 4234 type: object 4235 properties: 4236 authorizations: 4237 description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order. 4238 type: array 4239 items: 4240 description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource. 4241 type: object 4242 required: 4243 - url 4244 properties: 4245 challenges: 4246 description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process. 4247 type: array 4248 items: 4249 description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process. 4250 type: object 4251 required: 4252 - token 4253 - type 4254 - url 4255 properties: 4256 token: 4257 description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented. 4258 type: string 4259 type: 4260 description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored. 4261 type: string 4262 url: 4263 description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server. 4264 type: string 4265 identifier: 4266 description: Identifier is the DNS name to be validated as part of this authorization 4267 type: string 4268 initialState: 4269 description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created. 4270 type: string 4271 enum: 4272 - valid 4273 - ready 4274 - pending 4275 - processing 4276 - invalid 4277 - expired 4278 - errored 4279 url: 4280 description: URL is the URL of the Authorization that must be completed 4281 type: string 4282 wildcard: 4283 description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'. 4284 type: boolean 4285 certificate: 4286 description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state. 4287 type: string 4288 format: byte 4289 failureTime: 4290 description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off. 4291 type: string 4292 format: date-time 4293 finalizeURL: 4294 description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed. 4295 type: string 4296 reason: 4297 description: Reason optionally provides more information about a why the order is in the current state. 4298 type: string 4299 state: 4300 description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final' 4301 type: string 4302 enum: 4303 - valid 4304 - ready 4305 - pending 4306 - processing 4307 - invalid 4308 - expired 4309 - errored 4310 url: 4311 description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set. 4312 type: string 4313 served: true 4314 storage: true 4315 {{- end }}