github.com/verrazzano/verrazzano@v1.7.1/platform-operator/thirdparty/manifests/cert-manager/cert-manager.crds.yaml (about) 1 # Copyright 2022 The cert-manager Authors. 2 # 3 # Licensed under the Apache License, Version 2.0 (the "License"); 4 # you may not use this file except in compliance with the License. 5 # You may obtain a copy of the License at 6 # 7 # http://www.apache.org/licenses/LICENSE-2.0 8 # 9 # Unless required by applicable law or agreed to in writing, software 10 # distributed under the License is distributed on an "AS IS" BASIS, 11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 # See the License for the specific language governing permissions and 13 # limitations under the License. 14 15 --- 16 # Source: cert-manager/templates/templates.out 17 apiVersion: apiextensions.k8s.io/v1 18 kind: CustomResourceDefinition 19 metadata: 20 name: certificaterequests.cert-manager.io 21 annotations: 22 cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca' 23 labels: 24 app: 'cert-manager' 25 app.kubernetes.io/name: 'cert-manager' 26 app.kubernetes.io/instance: 'cert-manager' 27 # Generated labels 28 app.kubernetes.io/version: "v1.7.1" 29 spec: 30 group: cert-manager.io 31 names: 32 kind: CertificateRequest 33 listKind: CertificateRequestList 34 plural: certificaterequests 35 shortNames: 36 - cr 37 - crs 38 singular: certificaterequest 39 categories: 40 - cert-manager 41 scope: Namespaced 42 versions: 43 - name: v1 44 subresources: 45 status: {} 46 additionalPrinterColumns: 47 - jsonPath: .status.conditions[?(@.type=="Approved")].status 48 name: Approved 49 type: string 50 - jsonPath: .status.conditions[?(@.type=="Denied")].status 51 name: Denied 52 type: string 53 - jsonPath: .status.conditions[?(@.type=="Ready")].status 54 name: Ready 55 type: string 56 - jsonPath: .spec.issuerRef.name 57 name: Issuer 58 type: string 59 - jsonPath: .spec.username 60 name: Requestor 61 type: string 62 - jsonPath: .status.conditions[?(@.type=="Ready")].message 63 name: Status 64 priority: 1 65 type: string 66 - jsonPath: .metadata.creationTimestamp 67 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 68 name: Age 69 type: date 70 schema: 71 openAPIV3Schema: 72 description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used." 73 type: object 74 required: 75 - spec 76 properties: 77 apiVersion: 78 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 79 type: string 80 kind: 81 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 82 type: string 83 metadata: 84 type: object 85 spec: 86 description: Desired state of the CertificateRequest resource. 87 type: object 88 required: 89 - issuerRef 90 - request 91 properties: 92 duration: 93 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. 94 type: string 95 extra: 96 description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. 97 type: object 98 additionalProperties: 99 type: array 100 items: 101 type: string 102 groups: 103 description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. 104 type: array 105 items: 106 type: string 107 x-kubernetes-list-type: atomic 108 isCA: 109 description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`. 110 type: boolean 111 issuerRef: 112 description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty. 113 type: object 114 required: 115 - name 116 properties: 117 group: 118 description: Group of the resource being referred to. 119 type: string 120 kind: 121 description: Kind of the resource being referred to. 122 type: string 123 name: 124 description: Name of the resource being referred to. 125 type: string 126 request: 127 description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing. 128 type: string 129 format: byte 130 uid: 131 description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. 132 type: string 133 usages: 134 description: Usages is the set of x509 usages that are requested for the certificate. If usages are set they SHOULD be encoded inside the CSR spec Defaults to `digital signature` and `key encipherment` if not specified. 135 type: array 136 items: 137 description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"' 138 type: string 139 enum: 140 - signing 141 - digital signature 142 - content commitment 143 - key encipherment 144 - key agreement 145 - data encipherment 146 - cert sign 147 - crl sign 148 - encipher only 149 - decipher only 150 - any 151 - server auth 152 - client auth 153 - code signing 154 - email protection 155 - s/mime 156 - ipsec end system 157 - ipsec tunnel 158 - ipsec user 159 - timestamping 160 - ocsp signing 161 - microsoft sgc 162 - netscape sgc 163 username: 164 description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. 165 type: string 166 status: 167 description: Status of the CertificateRequest. This is set and managed automatically. 168 type: object 169 properties: 170 ca: 171 description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available. 172 type: string 173 format: byte 174 certificate: 175 description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field. 176 type: string 177 format: byte 178 conditions: 179 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`. 180 type: array 181 items: 182 description: CertificateRequestCondition contains condition information for a CertificateRequest. 183 type: object 184 required: 185 - status 186 - type 187 properties: 188 lastTransitionTime: 189 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. 190 type: string 191 format: date-time 192 message: 193 description: Message is a human readable description of the details of the last transition, complementing reason. 194 type: string 195 reason: 196 description: Reason is a brief machine readable explanation for the condition's last transition. 197 type: string 198 status: 199 description: Status of the condition, one of (`True`, `False`, `Unknown`). 200 type: string 201 enum: 202 - "True" 203 - "False" 204 - Unknown 205 type: 206 description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`). 207 type: string 208 failureTime: 209 description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off. 210 type: string 211 format: date-time 212 served: true 213 storage: true 214 --- 215 # Source: cert-manager/templates/templates.out 216 apiVersion: apiextensions.k8s.io/v1 217 kind: CustomResourceDefinition 218 metadata: 219 name: certificates.cert-manager.io 220 annotations: 221 cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca' 222 labels: 223 app: 'cert-manager' 224 app.kubernetes.io/name: 'cert-manager' 225 app.kubernetes.io/instance: 'cert-manager' 226 # Generated labels 227 app.kubernetes.io/version: "v1.7.1" 228 spec: 229 group: cert-manager.io 230 names: 231 kind: Certificate 232 listKind: CertificateList 233 plural: certificates 234 shortNames: 235 - cert 236 - certs 237 singular: certificate 238 categories: 239 - cert-manager 240 scope: Namespaced 241 versions: 242 - name: v1 243 subresources: 244 status: {} 245 additionalPrinterColumns: 246 - jsonPath: .status.conditions[?(@.type=="Ready")].status 247 name: Ready 248 type: string 249 - jsonPath: .spec.secretName 250 name: Secret 251 type: string 252 - jsonPath: .spec.issuerRef.name 253 name: Issuer 254 priority: 1 255 type: string 256 - jsonPath: .status.conditions[?(@.type=="Ready")].message 257 name: Status 258 priority: 1 259 type: string 260 - jsonPath: .metadata.creationTimestamp 261 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 262 name: Age 263 type: date 264 schema: 265 openAPIV3Schema: 266 description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)." 267 type: object 268 required: 269 - spec 270 properties: 271 apiVersion: 272 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 273 type: string 274 kind: 275 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 276 type: string 277 metadata: 278 type: object 279 spec: 280 description: Desired state of the Certificate resource. 281 type: object 282 required: 283 - issuerRef 284 - secretName 285 properties: 286 additionalOutputFormats: 287 description: AdditionalOutputFormats defines extra output formats of the private key and signed certificate chain to be written to this Certificate's target Secret. This is an Alpha Feature and is only enabled with the `--feature-gates=AdditionalCertificateOutputFormats=true` option on both the controller and webhook components. 288 type: array 289 items: 290 description: CertificateAdditionalOutputFormat defines an additional output format of a Certificate resource. These contain supplementary data formats of the signed certificate chain and paired private key. 291 type: object 292 required: 293 - type 294 properties: 295 type: 296 description: Type is the name of the format type that should be written to the Certificate's target Secret. 297 type: string 298 enum: 299 - DER 300 - CombinedPEM 301 commonName: 302 description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' 303 type: string 304 dnsNames: 305 description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate. 306 type: array 307 items: 308 type: string 309 duration: 310 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration 311 type: string 312 emailAddresses: 313 description: EmailAddresses is a list of email subjectAltNames to be set on the Certificate. 314 type: array 315 items: 316 type: string 317 encodeUsagesInRequest: 318 description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest 319 type: boolean 320 ipAddresses: 321 description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate. 322 type: array 323 items: 324 type: string 325 isCA: 326 description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`. 327 type: boolean 328 issuerRef: 329 description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. 330 type: object 331 required: 332 - name 333 properties: 334 group: 335 description: Group of the resource being referred to. 336 type: string 337 kind: 338 description: Kind of the resource being referred to. 339 type: string 340 name: 341 description: Name of the resource being referred to. 342 type: string 343 keystores: 344 description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource. 345 type: object 346 properties: 347 jks: 348 description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource. 349 type: object 350 required: 351 - create 352 - passwordSecretRef 353 properties: 354 create: 355 description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority 356 type: boolean 357 passwordSecretRef: 358 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore. 359 type: object 360 required: 361 - name 362 properties: 363 key: 364 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 365 type: string 366 name: 367 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 368 type: string 369 pkcs12: 370 description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource. 371 type: object 372 required: 373 - create 374 - passwordSecretRef 375 properties: 376 create: 377 description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority 378 type: boolean 379 passwordSecretRef: 380 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore. 381 type: object 382 required: 383 - name 384 properties: 385 key: 386 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 387 type: string 388 name: 389 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 390 type: string 391 privateKey: 392 description: Options to control private keys used for the Certificate. 393 type: object 394 properties: 395 algorithm: 396 description: Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified and `size` is not provided, key size of 256 will be used for `ECDSA` key algorithm and key size of 2048 will be used for `RSA` key algorithm. key size is ignored when using the `Ed25519` key algorithm. 397 type: string 398 enum: 399 - RSA 400 - ECDSA 401 - Ed25519 402 encoding: 403 description: The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified. 404 type: string 405 enum: 406 - PKCS1 407 - PKCS8 408 rotationPolicy: 409 description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility. 410 type: string 411 size: 412 description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed. 413 type: integer 414 renewBefore: 415 description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration 416 type: string 417 revisionHistoryLimit: 418 description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`. 419 type: integer 420 format: int32 421 secretName: 422 description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer. 423 type: string 424 secretTemplate: 425 description: SecretTemplate defines annotations and labels to be copied to the Certificate's Secret. Labels and annotations on the Secret will be changed as they appear on the SecretTemplate when added or removed. SecretTemplate annotations are added in conjunction with, and cannot overwrite, the base set of annotations cert-manager sets on the Certificate's Secret. 426 type: object 427 properties: 428 annotations: 429 description: Annotations is a key value map to be copied to the target Kubernetes Secret. 430 type: object 431 additionalProperties: 432 type: string 433 labels: 434 description: Labels is a key value map to be copied to the target Kubernetes Secret. 435 type: object 436 additionalProperties: 437 type: string 438 subject: 439 description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). 440 type: object 441 properties: 442 countries: 443 description: Countries to be used on the Certificate. 444 type: array 445 items: 446 type: string 447 localities: 448 description: Cities to be used on the Certificate. 449 type: array 450 items: 451 type: string 452 organizationalUnits: 453 description: Organizational Units to be used on the Certificate. 454 type: array 455 items: 456 type: string 457 organizations: 458 description: Organizations to be used on the Certificate. 459 type: array 460 items: 461 type: string 462 postalCodes: 463 description: Postal codes to be used on the Certificate. 464 type: array 465 items: 466 type: string 467 provinces: 468 description: State/Provinces to be used on the Certificate. 469 type: array 470 items: 471 type: string 472 serialNumber: 473 description: Serial number to be used on the Certificate. 474 type: string 475 streetAddresses: 476 description: Street addresses to be used on the Certificate. 477 type: array 478 items: 479 type: string 480 uris: 481 description: URIs is a list of URI subjectAltNames to be set on the Certificate. 482 type: array 483 items: 484 type: string 485 usages: 486 description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified. 487 type: array 488 items: 489 description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"' 490 type: string 491 enum: 492 - signing 493 - digital signature 494 - content commitment 495 - key encipherment 496 - key agreement 497 - data encipherment 498 - cert sign 499 - crl sign 500 - encipher only 501 - decipher only 502 - any 503 - server auth 504 - client auth 505 - code signing 506 - email protection 507 - s/mime 508 - ipsec end system 509 - ipsec tunnel 510 - ipsec user 511 - timestamping 512 - ocsp signing 513 - microsoft sgc 514 - netscape sgc 515 status: 516 description: Status of the Certificate. This is set and managed automatically. 517 type: object 518 properties: 519 conditions: 520 description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`. 521 type: array 522 items: 523 description: CertificateCondition contains condition information for an Certificate. 524 type: object 525 required: 526 - status 527 - type 528 properties: 529 lastTransitionTime: 530 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. 531 type: string 532 format: date-time 533 message: 534 description: Message is a human readable description of the details of the last transition, complementing reason. 535 type: string 536 observedGeneration: 537 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate. 538 type: integer 539 format: int64 540 reason: 541 description: Reason is a brief machine readable explanation for the condition's last transition. 542 type: string 543 status: 544 description: Status of the condition, one of (`True`, `False`, `Unknown`). 545 type: string 546 enum: 547 - "True" 548 - "False" 549 - Unknown 550 type: 551 description: Type of the condition, known values are (`Ready`, `Issuing`). 552 type: string 553 lastFailureTime: 554 description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time. 555 type: string 556 format: date-time 557 nextPrivateKeySecretName: 558 description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False. 559 type: string 560 notAfter: 561 description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`. 562 type: string 563 format: date-time 564 notBefore: 565 description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid. 566 type: string 567 format: date-time 568 renewalTime: 569 description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled. 570 type: string 571 format: date-time 572 revision: 573 description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field." 574 type: integer 575 served: true 576 storage: true 577 --- 578 # Source: cert-manager/templates/templates.out 579 apiVersion: apiextensions.k8s.io/v1 580 kind: CustomResourceDefinition 581 metadata: 582 name: challenges.acme.cert-manager.io 583 annotations: 584 cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca' 585 labels: 586 app: 'cert-manager' 587 app.kubernetes.io/name: 'cert-manager' 588 app.kubernetes.io/instance: 'cert-manager' 589 # Generated labels 590 app.kubernetes.io/version: "v1.7.1" 591 spec: 592 group: acme.cert-manager.io 593 names: 594 kind: Challenge 595 listKind: ChallengeList 596 plural: challenges 597 singular: challenge 598 categories: 599 - cert-manager 600 - cert-manager-acme 601 scope: Namespaced 602 versions: 603 - additionalPrinterColumns: 604 - jsonPath: .status.state 605 name: State 606 type: string 607 - jsonPath: .spec.dnsName 608 name: Domain 609 type: string 610 - jsonPath: .status.reason 611 name: Reason 612 priority: 1 613 type: string 614 - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 615 jsonPath: .metadata.creationTimestamp 616 name: Age 617 type: date 618 name: v1 619 schema: 620 openAPIV3Schema: 621 description: Challenge is a type to represent a Challenge request with an ACME server 622 type: object 623 required: 624 - metadata 625 - spec 626 properties: 627 apiVersion: 628 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 629 type: string 630 kind: 631 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 632 type: string 633 metadata: 634 type: object 635 spec: 636 type: object 637 required: 638 - authorizationURL 639 - dnsName 640 - issuerRef 641 - key 642 - solver 643 - token 644 - type 645 - url 646 properties: 647 authorizationURL: 648 description: The URL to the ACME Authorization resource that this challenge is a part of. 649 type: string 650 dnsName: 651 description: dnsName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`. 652 type: string 653 issuerRef: 654 description: References a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed. 655 type: object 656 required: 657 - name 658 properties: 659 group: 660 description: Group of the resource being referred to. 661 type: string 662 kind: 663 description: Kind of the resource being referred to. 664 type: string 665 name: 666 description: Name of the resource being referred to. 667 type: string 668 key: 669 description: 'The ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key from acme server for challenge>`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key from acme server for challenge>` text that must be set as the TXT record content.' 670 type: string 671 solver: 672 description: Contains the domain solving configuration that should be used to solve this challenge resource. 673 type: object 674 properties: 675 dns01: 676 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. 677 type: object 678 properties: 679 acmeDNS: 680 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. 681 type: object 682 required: 683 - accountSecretRef 684 - host 685 properties: 686 accountSecretRef: 687 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 688 type: object 689 required: 690 - name 691 properties: 692 key: 693 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 694 type: string 695 name: 696 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 697 type: string 698 host: 699 type: string 700 akamai: 701 description: Use the Akamai DNS zone management API to manage DNS01 challenge records. 702 type: object 703 required: 704 - accessTokenSecretRef 705 - clientSecretSecretRef 706 - clientTokenSecretRef 707 - serviceConsumerDomain 708 properties: 709 accessTokenSecretRef: 710 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 711 type: object 712 required: 713 - name 714 properties: 715 key: 716 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 717 type: string 718 name: 719 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 720 type: string 721 clientSecretSecretRef: 722 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 723 type: object 724 required: 725 - name 726 properties: 727 key: 728 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 729 type: string 730 name: 731 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 732 type: string 733 clientTokenSecretRef: 734 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 735 type: object 736 required: 737 - name 738 properties: 739 key: 740 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 741 type: string 742 name: 743 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 744 type: string 745 serviceConsumerDomain: 746 type: string 747 azureDNS: 748 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. 749 type: object 750 required: 751 - resourceGroupName 752 - subscriptionID 753 properties: 754 clientID: 755 description: if both this and ClientSecret are left unset MSI will be used 756 type: string 757 clientSecretSecretRef: 758 description: if both this and ClientID are left unset MSI will be used 759 type: object 760 required: 761 - name 762 properties: 763 key: 764 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 765 type: string 766 name: 767 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 768 type: string 769 environment: 770 description: name of the Azure environment (default AzurePublicCloud) 771 type: string 772 enum: 773 - AzurePublicCloud 774 - AzureChinaCloud 775 - AzureGermanCloud 776 - AzureUSGovernmentCloud 777 hostedZoneName: 778 description: name of the DNS zone that should be used 779 type: string 780 managedIdentity: 781 description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID 782 type: object 783 properties: 784 clientID: 785 description: client ID of the managed identity, can not be used at the same time as resourceID 786 type: string 787 resourceID: 788 description: resource ID of the managed identity, can not be used at the same time as clientID 789 type: string 790 resourceGroupName: 791 description: resource group the DNS zone is located in 792 type: string 793 subscriptionID: 794 description: ID of the Azure subscription 795 type: string 796 tenantID: 797 description: when specifying ClientID and ClientSecret then this field is also needed 798 type: string 799 cloudDNS: 800 description: Use the Google Cloud DNS API to manage DNS01 challenge records. 801 type: object 802 required: 803 - project 804 properties: 805 hostedZoneName: 806 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. 807 type: string 808 project: 809 type: string 810 serviceAccountSecretRef: 811 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 812 type: object 813 required: 814 - name 815 properties: 816 key: 817 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 818 type: string 819 name: 820 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 821 type: string 822 cloudflare: 823 description: Use the Cloudflare API to manage DNS01 challenge records. 824 type: object 825 properties: 826 apiKeySecretRef: 827 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' 828 type: object 829 required: 830 - name 831 properties: 832 key: 833 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 834 type: string 835 name: 836 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 837 type: string 838 apiTokenSecretRef: 839 description: API token used to authenticate with Cloudflare. 840 type: object 841 required: 842 - name 843 properties: 844 key: 845 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 846 type: string 847 name: 848 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 849 type: string 850 email: 851 description: Email of the account, only required when using API key based authentication. 852 type: string 853 cnameStrategy: 854 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. 855 type: string 856 enum: 857 - None 858 - Follow 859 digitalocean: 860 description: Use the DigitalOcean DNS API to manage DNS01 challenge records. 861 type: object 862 required: 863 - tokenSecretRef 864 properties: 865 tokenSecretRef: 866 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 867 type: object 868 required: 869 - name 870 properties: 871 key: 872 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 873 type: string 874 name: 875 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 876 type: string 877 rfc2136: 878 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. 879 type: object 880 required: 881 - nameserver 882 properties: 883 nameserver: 884 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required. 885 type: string 886 tsigAlgorithm: 887 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' 888 type: string 889 tsigKeyName: 890 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. 891 type: string 892 tsigSecretSecretRef: 893 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. 894 type: object 895 required: 896 - name 897 properties: 898 key: 899 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 900 type: string 901 name: 902 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 903 type: string 904 route53: 905 description: Use the AWS Route53 API to manage DNS01 challenge records. 906 type: object 907 required: 908 - region 909 properties: 910 accessKeyID: 911 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' 912 type: string 913 hostedZoneID: 914 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. 915 type: string 916 region: 917 description: Always set the region when using AccessKeyID and SecretAccessKey 918 type: string 919 role: 920 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata 921 type: string 922 secretAccessKeySecretRef: 923 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials 924 type: object 925 required: 926 - name 927 properties: 928 key: 929 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 930 type: string 931 name: 932 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 933 type: string 934 webhook: 935 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. 936 type: object 937 required: 938 - groupName 939 - solverName 940 properties: 941 config: 942 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. 943 x-kubernetes-preserve-unknown-fields: true 944 groupName: 945 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. 946 type: string 947 solverName: 948 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. 949 type: string 950 http01: 951 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. 952 type: object 953 properties: 954 gatewayHTTPRoute: 955 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. 956 type: object 957 properties: 958 labels: 959 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway. 960 type: object 961 additionalProperties: 962 type: string 963 serviceType: 964 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. 965 type: string 966 ingress: 967 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. 968 type: object 969 properties: 970 class: 971 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified. 972 type: string 973 ingressTemplate: 974 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. 975 type: object 976 properties: 977 metadata: 978 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. 979 type: object 980 properties: 981 annotations: 982 description: Annotations that should be added to the created ACME HTTP01 solver ingress. 983 type: object 984 additionalProperties: 985 type: string 986 labels: 987 description: Labels that should be added to the created ACME HTTP01 solver ingress. 988 type: object 989 additionalProperties: 990 type: string 991 name: 992 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. 993 type: string 994 podTemplate: 995 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. 996 type: object 997 properties: 998 metadata: 999 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. 1000 type: object 1001 properties: 1002 annotations: 1003 description: Annotations that should be added to the create ACME HTTP01 solver pods. 1004 type: object 1005 additionalProperties: 1006 type: string 1007 labels: 1008 description: Labels that should be added to the created ACME HTTP01 solver pods. 1009 type: object 1010 additionalProperties: 1011 type: string 1012 spec: 1013 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored. 1014 type: object 1015 properties: 1016 affinity: 1017 description: If specified, the pod's scheduling constraints 1018 type: object 1019 properties: 1020 nodeAffinity: 1021 description: Describes node affinity scheduling rules for the pod. 1022 type: object 1023 properties: 1024 preferredDuringSchedulingIgnoredDuringExecution: 1025 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. 1026 type: array 1027 items: 1028 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). 1029 type: object 1030 required: 1031 - preference 1032 - weight 1033 properties: 1034 preference: 1035 description: A node selector term, associated with the corresponding weight. 1036 type: object 1037 properties: 1038 matchExpressions: 1039 description: A list of node selector requirements by node's labels. 1040 type: array 1041 items: 1042 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1043 type: object 1044 required: 1045 - key 1046 - operator 1047 properties: 1048 key: 1049 description: The label key that the selector applies to. 1050 type: string 1051 operator: 1052 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 1053 type: string 1054 values: 1055 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 1056 type: array 1057 items: 1058 type: string 1059 matchFields: 1060 description: A list of node selector requirements by node's fields. 1061 type: array 1062 items: 1063 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1064 type: object 1065 required: 1066 - key 1067 - operator 1068 properties: 1069 key: 1070 description: The label key that the selector applies to. 1071 type: string 1072 operator: 1073 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 1074 type: string 1075 values: 1076 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 1077 type: array 1078 items: 1079 type: string 1080 weight: 1081 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. 1082 type: integer 1083 format: int32 1084 requiredDuringSchedulingIgnoredDuringExecution: 1085 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. 1086 type: object 1087 required: 1088 - nodeSelectorTerms 1089 properties: 1090 nodeSelectorTerms: 1091 description: Required. A list of node selector terms. The terms are ORed. 1092 type: array 1093 items: 1094 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. 1095 type: object 1096 properties: 1097 matchExpressions: 1098 description: A list of node selector requirements by node's labels. 1099 type: array 1100 items: 1101 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1102 type: object 1103 required: 1104 - key 1105 - operator 1106 properties: 1107 key: 1108 description: The label key that the selector applies to. 1109 type: string 1110 operator: 1111 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 1112 type: string 1113 values: 1114 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 1115 type: array 1116 items: 1117 type: string 1118 matchFields: 1119 description: A list of node selector requirements by node's fields. 1120 type: array 1121 items: 1122 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1123 type: object 1124 required: 1125 - key 1126 - operator 1127 properties: 1128 key: 1129 description: The label key that the selector applies to. 1130 type: string 1131 operator: 1132 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 1133 type: string 1134 values: 1135 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 1136 type: array 1137 items: 1138 type: string 1139 podAffinity: 1140 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). 1141 type: object 1142 properties: 1143 preferredDuringSchedulingIgnoredDuringExecution: 1144 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. 1145 type: array 1146 items: 1147 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 1148 type: object 1149 required: 1150 - podAffinityTerm 1151 - weight 1152 properties: 1153 podAffinityTerm: 1154 description: Required. A pod affinity term, associated with the corresponding weight. 1155 type: object 1156 required: 1157 - topologyKey 1158 properties: 1159 labelSelector: 1160 description: A label query over a set of resources, in this case pods. 1161 type: object 1162 properties: 1163 matchExpressions: 1164 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 1165 type: array 1166 items: 1167 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1168 type: object 1169 required: 1170 - key 1171 - operator 1172 properties: 1173 key: 1174 description: key is the label key that the selector applies to. 1175 type: string 1176 operator: 1177 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 1178 type: string 1179 values: 1180 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 1181 type: array 1182 items: 1183 type: string 1184 matchLabels: 1185 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 1186 type: object 1187 additionalProperties: 1188 type: string 1189 namespaceSelector: 1190 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. 1191 type: object 1192 properties: 1193 matchExpressions: 1194 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 1195 type: array 1196 items: 1197 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1198 type: object 1199 required: 1200 - key 1201 - operator 1202 properties: 1203 key: 1204 description: key is the label key that the selector applies to. 1205 type: string 1206 operator: 1207 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 1208 type: string 1209 values: 1210 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 1211 type: array 1212 items: 1213 type: string 1214 matchLabels: 1215 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 1216 type: object 1217 additionalProperties: 1218 type: string 1219 namespaces: 1220 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" 1221 type: array 1222 items: 1223 type: string 1224 topologyKey: 1225 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 1226 type: string 1227 weight: 1228 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. 1229 type: integer 1230 format: int32 1231 requiredDuringSchedulingIgnoredDuringExecution: 1232 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. 1233 type: array 1234 items: 1235 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running 1236 type: object 1237 required: 1238 - topologyKey 1239 properties: 1240 labelSelector: 1241 description: A label query over a set of resources, in this case pods. 1242 type: object 1243 properties: 1244 matchExpressions: 1245 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 1246 type: array 1247 items: 1248 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1249 type: object 1250 required: 1251 - key 1252 - operator 1253 properties: 1254 key: 1255 description: key is the label key that the selector applies to. 1256 type: string 1257 operator: 1258 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 1259 type: string 1260 values: 1261 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 1262 type: array 1263 items: 1264 type: string 1265 matchLabels: 1266 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 1267 type: object 1268 additionalProperties: 1269 type: string 1270 namespaceSelector: 1271 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. 1272 type: object 1273 properties: 1274 matchExpressions: 1275 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 1276 type: array 1277 items: 1278 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1279 type: object 1280 required: 1281 - key 1282 - operator 1283 properties: 1284 key: 1285 description: key is the label key that the selector applies to. 1286 type: string 1287 operator: 1288 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 1289 type: string 1290 values: 1291 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 1292 type: array 1293 items: 1294 type: string 1295 matchLabels: 1296 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 1297 type: object 1298 additionalProperties: 1299 type: string 1300 namespaces: 1301 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" 1302 type: array 1303 items: 1304 type: string 1305 topologyKey: 1306 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 1307 type: string 1308 podAntiAffinity: 1309 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). 1310 type: object 1311 properties: 1312 preferredDuringSchedulingIgnoredDuringExecution: 1313 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. 1314 type: array 1315 items: 1316 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 1317 type: object 1318 required: 1319 - podAffinityTerm 1320 - weight 1321 properties: 1322 podAffinityTerm: 1323 description: Required. A pod affinity term, associated with the corresponding weight. 1324 type: object 1325 required: 1326 - topologyKey 1327 properties: 1328 labelSelector: 1329 description: A label query over a set of resources, in this case pods. 1330 type: object 1331 properties: 1332 matchExpressions: 1333 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 1334 type: array 1335 items: 1336 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1337 type: object 1338 required: 1339 - key 1340 - operator 1341 properties: 1342 key: 1343 description: key is the label key that the selector applies to. 1344 type: string 1345 operator: 1346 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 1347 type: string 1348 values: 1349 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 1350 type: array 1351 items: 1352 type: string 1353 matchLabels: 1354 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 1355 type: object 1356 additionalProperties: 1357 type: string 1358 namespaceSelector: 1359 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. 1360 type: object 1361 properties: 1362 matchExpressions: 1363 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 1364 type: array 1365 items: 1366 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1367 type: object 1368 required: 1369 - key 1370 - operator 1371 properties: 1372 key: 1373 description: key is the label key that the selector applies to. 1374 type: string 1375 operator: 1376 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 1377 type: string 1378 values: 1379 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 1380 type: array 1381 items: 1382 type: string 1383 matchLabels: 1384 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 1385 type: object 1386 additionalProperties: 1387 type: string 1388 namespaces: 1389 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" 1390 type: array 1391 items: 1392 type: string 1393 topologyKey: 1394 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 1395 type: string 1396 weight: 1397 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. 1398 type: integer 1399 format: int32 1400 requiredDuringSchedulingIgnoredDuringExecution: 1401 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. 1402 type: array 1403 items: 1404 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running 1405 type: object 1406 required: 1407 - topologyKey 1408 properties: 1409 labelSelector: 1410 description: A label query over a set of resources, in this case pods. 1411 type: object 1412 properties: 1413 matchExpressions: 1414 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 1415 type: array 1416 items: 1417 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1418 type: object 1419 required: 1420 - key 1421 - operator 1422 properties: 1423 key: 1424 description: key is the label key that the selector applies to. 1425 type: string 1426 operator: 1427 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 1428 type: string 1429 values: 1430 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 1431 type: array 1432 items: 1433 type: string 1434 matchLabels: 1435 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 1436 type: object 1437 additionalProperties: 1438 type: string 1439 namespaceSelector: 1440 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. 1441 type: object 1442 properties: 1443 matchExpressions: 1444 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 1445 type: array 1446 items: 1447 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 1448 type: object 1449 required: 1450 - key 1451 - operator 1452 properties: 1453 key: 1454 description: key is the label key that the selector applies to. 1455 type: string 1456 operator: 1457 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 1458 type: string 1459 values: 1460 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 1461 type: array 1462 items: 1463 type: string 1464 matchLabels: 1465 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 1466 type: object 1467 additionalProperties: 1468 type: string 1469 namespaces: 1470 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" 1471 type: array 1472 items: 1473 type: string 1474 topologyKey: 1475 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 1476 type: string 1477 nodeSelector: 1478 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' 1479 type: object 1480 additionalProperties: 1481 type: string 1482 priorityClassName: 1483 description: If specified, the pod's priorityClassName. 1484 type: string 1485 serviceAccountName: 1486 description: If specified, the pod's service account 1487 type: string 1488 tolerations: 1489 description: If specified, the pod's tolerations. 1490 type: array 1491 items: 1492 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>. 1493 type: object 1494 properties: 1495 effect: 1496 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. 1497 type: string 1498 key: 1499 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. 1500 type: string 1501 operator: 1502 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. 1503 type: string 1504 tolerationSeconds: 1505 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. 1506 type: integer 1507 format: int64 1508 value: 1509 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. 1510 type: string 1511 serviceType: 1512 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. 1513 type: string 1514 selector: 1515 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. 1516 type: object 1517 properties: 1518 dnsNames: 1519 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. 1520 type: array 1521 items: 1522 type: string 1523 dnsZones: 1524 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. 1525 type: array 1526 items: 1527 type: string 1528 matchLabels: 1529 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. 1530 type: object 1531 additionalProperties: 1532 type: string 1533 token: 1534 description: The ACME challenge token for this challenge. This is the raw value returned from the ACME server. 1535 type: string 1536 type: 1537 description: The type of ACME challenge this resource represents. One of "HTTP-01" or "DNS-01". 1538 type: string 1539 enum: 1540 - HTTP-01 1541 - DNS-01 1542 url: 1543 description: The URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge. 1544 type: string 1545 wildcard: 1546 description: wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'. 1547 type: boolean 1548 status: 1549 type: object 1550 properties: 1551 presented: 1552 description: presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured). 1553 type: boolean 1554 processing: 1555 description: Used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action. 1556 type: boolean 1557 reason: 1558 description: Contains human readable information on why the Challenge is in the current state. 1559 type: string 1560 state: 1561 description: Contains the current 'state' of the challenge. If not set, the state of the challenge is unknown. 1562 type: string 1563 enum: 1564 - valid 1565 - ready 1566 - pending 1567 - processing 1568 - invalid 1569 - expired 1570 - errored 1571 served: true 1572 storage: true 1573 subresources: 1574 status: {} 1575 --- 1576 # Source: cert-manager/templates/templates.out 1577 apiVersion: apiextensions.k8s.io/v1 1578 kind: CustomResourceDefinition 1579 metadata: 1580 name: clusterissuers.cert-manager.io 1581 annotations: 1582 cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca' 1583 labels: 1584 app: 'cert-manager' 1585 app.kubernetes.io/name: 'cert-manager' 1586 app.kubernetes.io/instance: 'cert-manager' 1587 # Generated labels 1588 app.kubernetes.io/version: "v1.7.1" 1589 spec: 1590 group: cert-manager.io 1591 names: 1592 kind: ClusterIssuer 1593 listKind: ClusterIssuerList 1594 plural: clusterissuers 1595 singular: clusterissuer 1596 categories: 1597 - cert-manager 1598 scope: Cluster 1599 versions: 1600 - name: v1 1601 subresources: 1602 status: {} 1603 additionalPrinterColumns: 1604 - jsonPath: .status.conditions[?(@.type=="Ready")].status 1605 name: Ready 1606 type: string 1607 - jsonPath: .status.conditions[?(@.type=="Ready")].message 1608 name: Status 1609 priority: 1 1610 type: string 1611 - jsonPath: .metadata.creationTimestamp 1612 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 1613 name: Age 1614 type: date 1615 schema: 1616 openAPIV3Schema: 1617 description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent. 1618 type: object 1619 required: 1620 - spec 1621 properties: 1622 apiVersion: 1623 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 1624 type: string 1625 kind: 1626 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 1627 type: string 1628 metadata: 1629 type: object 1630 spec: 1631 description: Desired state of the ClusterIssuer resource. 1632 type: object 1633 properties: 1634 acme: 1635 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates. 1636 type: object 1637 required: 1638 - privateKeySecretRef 1639 - server 1640 properties: 1641 disableAccountKeyGeneration: 1642 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false. 1643 type: boolean 1644 email: 1645 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. 1646 type: string 1647 enableDurationFeature: 1648 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. 1649 type: boolean 1650 externalAccountBinding: 1651 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. 1652 type: object 1653 required: 1654 - keyID 1655 - keySecretRef 1656 properties: 1657 keyAlgorithm: 1658 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.' 1659 type: string 1660 enum: 1661 - HS256 1662 - HS384 1663 - HS512 1664 keyID: 1665 description: keyID is the ID of the CA key that the External Account is bound to. 1666 type: string 1667 keySecretRef: 1668 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data. 1669 type: object 1670 required: 1671 - name 1672 properties: 1673 key: 1674 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1675 type: string 1676 name: 1677 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1678 type: string 1679 preferredChain: 1680 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN' 1681 type: string 1682 maxLength: 64 1683 privateKeySecretRef: 1684 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used. 1685 type: object 1686 required: 1687 - name 1688 properties: 1689 key: 1690 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1691 type: string 1692 name: 1693 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1694 type: string 1695 server: 1696 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' 1697 type: string 1698 skipTLSVerify: 1699 description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false. 1700 type: boolean 1701 solvers: 1702 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' 1703 type: array 1704 items: 1705 description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided. 1706 type: object 1707 properties: 1708 dns01: 1709 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. 1710 type: object 1711 properties: 1712 acmeDNS: 1713 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. 1714 type: object 1715 required: 1716 - accountSecretRef 1717 - host 1718 properties: 1719 accountSecretRef: 1720 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 1721 type: object 1722 required: 1723 - name 1724 properties: 1725 key: 1726 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1727 type: string 1728 name: 1729 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1730 type: string 1731 host: 1732 type: string 1733 akamai: 1734 description: Use the Akamai DNS zone management API to manage DNS01 challenge records. 1735 type: object 1736 required: 1737 - accessTokenSecretRef 1738 - clientSecretSecretRef 1739 - clientTokenSecretRef 1740 - serviceConsumerDomain 1741 properties: 1742 accessTokenSecretRef: 1743 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 1744 type: object 1745 required: 1746 - name 1747 properties: 1748 key: 1749 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1750 type: string 1751 name: 1752 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1753 type: string 1754 clientSecretSecretRef: 1755 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 1756 type: object 1757 required: 1758 - name 1759 properties: 1760 key: 1761 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1762 type: string 1763 name: 1764 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1765 type: string 1766 clientTokenSecretRef: 1767 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 1768 type: object 1769 required: 1770 - name 1771 properties: 1772 key: 1773 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1774 type: string 1775 name: 1776 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1777 type: string 1778 serviceConsumerDomain: 1779 type: string 1780 azureDNS: 1781 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. 1782 type: object 1783 required: 1784 - resourceGroupName 1785 - subscriptionID 1786 properties: 1787 clientID: 1788 description: if both this and ClientSecret are left unset MSI will be used 1789 type: string 1790 clientSecretSecretRef: 1791 description: if both this and ClientID are left unset MSI will be used 1792 type: object 1793 required: 1794 - name 1795 properties: 1796 key: 1797 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1798 type: string 1799 name: 1800 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1801 type: string 1802 environment: 1803 description: name of the Azure environment (default AzurePublicCloud) 1804 type: string 1805 enum: 1806 - AzurePublicCloud 1807 - AzureChinaCloud 1808 - AzureGermanCloud 1809 - AzureUSGovernmentCloud 1810 hostedZoneName: 1811 description: name of the DNS zone that should be used 1812 type: string 1813 managedIdentity: 1814 description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID 1815 type: object 1816 properties: 1817 clientID: 1818 description: client ID of the managed identity, can not be used at the same time as resourceID 1819 type: string 1820 resourceID: 1821 description: resource ID of the managed identity, can not be used at the same time as clientID 1822 type: string 1823 resourceGroupName: 1824 description: resource group the DNS zone is located in 1825 type: string 1826 subscriptionID: 1827 description: ID of the Azure subscription 1828 type: string 1829 tenantID: 1830 description: when specifying ClientID and ClientSecret then this field is also needed 1831 type: string 1832 cloudDNS: 1833 description: Use the Google Cloud DNS API to manage DNS01 challenge records. 1834 type: object 1835 required: 1836 - project 1837 properties: 1838 hostedZoneName: 1839 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. 1840 type: string 1841 project: 1842 type: string 1843 serviceAccountSecretRef: 1844 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 1845 type: object 1846 required: 1847 - name 1848 properties: 1849 key: 1850 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1851 type: string 1852 name: 1853 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1854 type: string 1855 cloudflare: 1856 description: Use the Cloudflare API to manage DNS01 challenge records. 1857 type: object 1858 properties: 1859 apiKeySecretRef: 1860 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' 1861 type: object 1862 required: 1863 - name 1864 properties: 1865 key: 1866 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1867 type: string 1868 name: 1869 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1870 type: string 1871 apiTokenSecretRef: 1872 description: API token used to authenticate with Cloudflare. 1873 type: object 1874 required: 1875 - name 1876 properties: 1877 key: 1878 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1879 type: string 1880 name: 1881 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1882 type: string 1883 email: 1884 description: Email of the account, only required when using API key based authentication. 1885 type: string 1886 cnameStrategy: 1887 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. 1888 type: string 1889 enum: 1890 - None 1891 - Follow 1892 digitalocean: 1893 description: Use the DigitalOcean DNS API to manage DNS01 challenge records. 1894 type: object 1895 required: 1896 - tokenSecretRef 1897 properties: 1898 tokenSecretRef: 1899 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 1900 type: object 1901 required: 1902 - name 1903 properties: 1904 key: 1905 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1906 type: string 1907 name: 1908 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1909 type: string 1910 rfc2136: 1911 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. 1912 type: object 1913 required: 1914 - nameserver 1915 properties: 1916 nameserver: 1917 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required. 1918 type: string 1919 tsigAlgorithm: 1920 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' 1921 type: string 1922 tsigKeyName: 1923 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. 1924 type: string 1925 tsigSecretSecretRef: 1926 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. 1927 type: object 1928 required: 1929 - name 1930 properties: 1931 key: 1932 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1933 type: string 1934 name: 1935 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1936 type: string 1937 route53: 1938 description: Use the AWS Route53 API to manage DNS01 challenge records. 1939 type: object 1940 required: 1941 - region 1942 properties: 1943 accessKeyID: 1944 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' 1945 type: string 1946 hostedZoneID: 1947 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. 1948 type: string 1949 region: 1950 description: Always set the region when using AccessKeyID and SecretAccessKey 1951 type: string 1952 role: 1953 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata 1954 type: string 1955 secretAccessKeySecretRef: 1956 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials 1957 type: object 1958 required: 1959 - name 1960 properties: 1961 key: 1962 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1963 type: string 1964 name: 1965 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1966 type: string 1967 webhook: 1968 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. 1969 type: object 1970 required: 1971 - groupName 1972 - solverName 1973 properties: 1974 config: 1975 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. 1976 x-kubernetes-preserve-unknown-fields: true 1977 groupName: 1978 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. 1979 type: string 1980 solverName: 1981 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. 1982 type: string 1983 http01: 1984 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. 1985 type: object 1986 properties: 1987 gatewayHTTPRoute: 1988 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. 1989 type: object 1990 properties: 1991 labels: 1992 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway. 1993 type: object 1994 additionalProperties: 1995 type: string 1996 serviceType: 1997 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. 1998 type: string 1999 ingress: 2000 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. 2001 type: object 2002 properties: 2003 class: 2004 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified. 2005 type: string 2006 ingressTemplate: 2007 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. 2008 type: object 2009 properties: 2010 metadata: 2011 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. 2012 type: object 2013 properties: 2014 annotations: 2015 description: Annotations that should be added to the created ACME HTTP01 solver ingress. 2016 type: object 2017 additionalProperties: 2018 type: string 2019 labels: 2020 description: Labels that should be added to the created ACME HTTP01 solver ingress. 2021 type: object 2022 additionalProperties: 2023 type: string 2024 name: 2025 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. 2026 type: string 2027 podTemplate: 2028 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. 2029 type: object 2030 properties: 2031 metadata: 2032 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. 2033 type: object 2034 properties: 2035 annotations: 2036 description: Annotations that should be added to the create ACME HTTP01 solver pods. 2037 type: object 2038 additionalProperties: 2039 type: string 2040 labels: 2041 description: Labels that should be added to the created ACME HTTP01 solver pods. 2042 type: object 2043 additionalProperties: 2044 type: string 2045 spec: 2046 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored. 2047 type: object 2048 properties: 2049 affinity: 2050 description: If specified, the pod's scheduling constraints 2051 type: object 2052 properties: 2053 nodeAffinity: 2054 description: Describes node affinity scheduling rules for the pod. 2055 type: object 2056 properties: 2057 preferredDuringSchedulingIgnoredDuringExecution: 2058 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. 2059 type: array 2060 items: 2061 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). 2062 type: object 2063 required: 2064 - preference 2065 - weight 2066 properties: 2067 preference: 2068 description: A node selector term, associated with the corresponding weight. 2069 type: object 2070 properties: 2071 matchExpressions: 2072 description: A list of node selector requirements by node's labels. 2073 type: array 2074 items: 2075 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2076 type: object 2077 required: 2078 - key 2079 - operator 2080 properties: 2081 key: 2082 description: The label key that the selector applies to. 2083 type: string 2084 operator: 2085 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 2086 type: string 2087 values: 2088 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 2089 type: array 2090 items: 2091 type: string 2092 matchFields: 2093 description: A list of node selector requirements by node's fields. 2094 type: array 2095 items: 2096 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2097 type: object 2098 required: 2099 - key 2100 - operator 2101 properties: 2102 key: 2103 description: The label key that the selector applies to. 2104 type: string 2105 operator: 2106 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 2107 type: string 2108 values: 2109 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 2110 type: array 2111 items: 2112 type: string 2113 weight: 2114 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. 2115 type: integer 2116 format: int32 2117 requiredDuringSchedulingIgnoredDuringExecution: 2118 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. 2119 type: object 2120 required: 2121 - nodeSelectorTerms 2122 properties: 2123 nodeSelectorTerms: 2124 description: Required. A list of node selector terms. The terms are ORed. 2125 type: array 2126 items: 2127 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. 2128 type: object 2129 properties: 2130 matchExpressions: 2131 description: A list of node selector requirements by node's labels. 2132 type: array 2133 items: 2134 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2135 type: object 2136 required: 2137 - key 2138 - operator 2139 properties: 2140 key: 2141 description: The label key that the selector applies to. 2142 type: string 2143 operator: 2144 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 2145 type: string 2146 values: 2147 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 2148 type: array 2149 items: 2150 type: string 2151 matchFields: 2152 description: A list of node selector requirements by node's fields. 2153 type: array 2154 items: 2155 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2156 type: object 2157 required: 2158 - key 2159 - operator 2160 properties: 2161 key: 2162 description: The label key that the selector applies to. 2163 type: string 2164 operator: 2165 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 2166 type: string 2167 values: 2168 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 2169 type: array 2170 items: 2171 type: string 2172 podAffinity: 2173 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). 2174 type: object 2175 properties: 2176 preferredDuringSchedulingIgnoredDuringExecution: 2177 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. 2178 type: array 2179 items: 2180 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 2181 type: object 2182 required: 2183 - podAffinityTerm 2184 - weight 2185 properties: 2186 podAffinityTerm: 2187 description: Required. A pod affinity term, associated with the corresponding weight. 2188 type: object 2189 required: 2190 - topologyKey 2191 properties: 2192 labelSelector: 2193 description: A label query over a set of resources, in this case pods. 2194 type: object 2195 properties: 2196 matchExpressions: 2197 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2198 type: array 2199 items: 2200 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2201 type: object 2202 required: 2203 - key 2204 - operator 2205 properties: 2206 key: 2207 description: key is the label key that the selector applies to. 2208 type: string 2209 operator: 2210 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 2211 type: string 2212 values: 2213 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 2214 type: array 2215 items: 2216 type: string 2217 matchLabels: 2218 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 2219 type: object 2220 additionalProperties: 2221 type: string 2222 namespaceSelector: 2223 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. 2224 type: object 2225 properties: 2226 matchExpressions: 2227 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2228 type: array 2229 items: 2230 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2231 type: object 2232 required: 2233 - key 2234 - operator 2235 properties: 2236 key: 2237 description: key is the label key that the selector applies to. 2238 type: string 2239 operator: 2240 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 2241 type: string 2242 values: 2243 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 2244 type: array 2245 items: 2246 type: string 2247 matchLabels: 2248 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 2249 type: object 2250 additionalProperties: 2251 type: string 2252 namespaces: 2253 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" 2254 type: array 2255 items: 2256 type: string 2257 topologyKey: 2258 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 2259 type: string 2260 weight: 2261 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. 2262 type: integer 2263 format: int32 2264 requiredDuringSchedulingIgnoredDuringExecution: 2265 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. 2266 type: array 2267 items: 2268 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running 2269 type: object 2270 required: 2271 - topologyKey 2272 properties: 2273 labelSelector: 2274 description: A label query over a set of resources, in this case pods. 2275 type: object 2276 properties: 2277 matchExpressions: 2278 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2279 type: array 2280 items: 2281 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2282 type: object 2283 required: 2284 - key 2285 - operator 2286 properties: 2287 key: 2288 description: key is the label key that the selector applies to. 2289 type: string 2290 operator: 2291 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 2292 type: string 2293 values: 2294 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 2295 type: array 2296 items: 2297 type: string 2298 matchLabels: 2299 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 2300 type: object 2301 additionalProperties: 2302 type: string 2303 namespaceSelector: 2304 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. 2305 type: object 2306 properties: 2307 matchExpressions: 2308 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2309 type: array 2310 items: 2311 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2312 type: object 2313 required: 2314 - key 2315 - operator 2316 properties: 2317 key: 2318 description: key is the label key that the selector applies to. 2319 type: string 2320 operator: 2321 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 2322 type: string 2323 values: 2324 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 2325 type: array 2326 items: 2327 type: string 2328 matchLabels: 2329 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 2330 type: object 2331 additionalProperties: 2332 type: string 2333 namespaces: 2334 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" 2335 type: array 2336 items: 2337 type: string 2338 topologyKey: 2339 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 2340 type: string 2341 podAntiAffinity: 2342 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). 2343 type: object 2344 properties: 2345 preferredDuringSchedulingIgnoredDuringExecution: 2346 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. 2347 type: array 2348 items: 2349 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 2350 type: object 2351 required: 2352 - podAffinityTerm 2353 - weight 2354 properties: 2355 podAffinityTerm: 2356 description: Required. A pod affinity term, associated with the corresponding weight. 2357 type: object 2358 required: 2359 - topologyKey 2360 properties: 2361 labelSelector: 2362 description: A label query over a set of resources, in this case pods. 2363 type: object 2364 properties: 2365 matchExpressions: 2366 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2367 type: array 2368 items: 2369 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2370 type: object 2371 required: 2372 - key 2373 - operator 2374 properties: 2375 key: 2376 description: key is the label key that the selector applies to. 2377 type: string 2378 operator: 2379 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 2380 type: string 2381 values: 2382 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 2383 type: array 2384 items: 2385 type: string 2386 matchLabels: 2387 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 2388 type: object 2389 additionalProperties: 2390 type: string 2391 namespaceSelector: 2392 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. 2393 type: object 2394 properties: 2395 matchExpressions: 2396 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2397 type: array 2398 items: 2399 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2400 type: object 2401 required: 2402 - key 2403 - operator 2404 properties: 2405 key: 2406 description: key is the label key that the selector applies to. 2407 type: string 2408 operator: 2409 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 2410 type: string 2411 values: 2412 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 2413 type: array 2414 items: 2415 type: string 2416 matchLabels: 2417 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 2418 type: object 2419 additionalProperties: 2420 type: string 2421 namespaces: 2422 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" 2423 type: array 2424 items: 2425 type: string 2426 topologyKey: 2427 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 2428 type: string 2429 weight: 2430 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. 2431 type: integer 2432 format: int32 2433 requiredDuringSchedulingIgnoredDuringExecution: 2434 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. 2435 type: array 2436 items: 2437 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running 2438 type: object 2439 required: 2440 - topologyKey 2441 properties: 2442 labelSelector: 2443 description: A label query over a set of resources, in this case pods. 2444 type: object 2445 properties: 2446 matchExpressions: 2447 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2448 type: array 2449 items: 2450 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2451 type: object 2452 required: 2453 - key 2454 - operator 2455 properties: 2456 key: 2457 description: key is the label key that the selector applies to. 2458 type: string 2459 operator: 2460 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 2461 type: string 2462 values: 2463 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 2464 type: array 2465 items: 2466 type: string 2467 matchLabels: 2468 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 2469 type: object 2470 additionalProperties: 2471 type: string 2472 namespaceSelector: 2473 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. 2474 type: object 2475 properties: 2476 matchExpressions: 2477 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2478 type: array 2479 items: 2480 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 2481 type: object 2482 required: 2483 - key 2484 - operator 2485 properties: 2486 key: 2487 description: key is the label key that the selector applies to. 2488 type: string 2489 operator: 2490 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 2491 type: string 2492 values: 2493 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 2494 type: array 2495 items: 2496 type: string 2497 matchLabels: 2498 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 2499 type: object 2500 additionalProperties: 2501 type: string 2502 namespaces: 2503 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" 2504 type: array 2505 items: 2506 type: string 2507 topologyKey: 2508 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 2509 type: string 2510 nodeSelector: 2511 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' 2512 type: object 2513 additionalProperties: 2514 type: string 2515 priorityClassName: 2516 description: If specified, the pod's priorityClassName. 2517 type: string 2518 serviceAccountName: 2519 description: If specified, the pod's service account 2520 type: string 2521 tolerations: 2522 description: If specified, the pod's tolerations. 2523 type: array 2524 items: 2525 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>. 2526 type: object 2527 properties: 2528 effect: 2529 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. 2530 type: string 2531 key: 2532 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. 2533 type: string 2534 operator: 2535 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. 2536 type: string 2537 tolerationSeconds: 2538 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. 2539 type: integer 2540 format: int64 2541 value: 2542 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. 2543 type: string 2544 serviceType: 2545 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. 2546 type: string 2547 selector: 2548 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. 2549 type: object 2550 properties: 2551 dnsNames: 2552 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. 2553 type: array 2554 items: 2555 type: string 2556 dnsZones: 2557 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. 2558 type: array 2559 items: 2560 type: string 2561 matchLabels: 2562 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. 2563 type: object 2564 additionalProperties: 2565 type: string 2566 ca: 2567 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager. 2568 type: object 2569 required: 2570 - secretName 2571 properties: 2572 crlDistributionPoints: 2573 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set. 2574 type: array 2575 items: 2576 type: string 2577 ocspServers: 2578 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". 2579 type: array 2580 items: 2581 type: string 2582 secretName: 2583 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer. 2584 type: string 2585 selfSigned: 2586 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object. 2587 type: object 2588 properties: 2589 crlDistributionPoints: 2590 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings. 2591 type: array 2592 items: 2593 type: string 2594 vault: 2595 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend. 2596 type: object 2597 required: 2598 - auth 2599 - path 2600 - server 2601 properties: 2602 auth: 2603 description: Auth configures how cert-manager authenticates with the Vault server. 2604 type: object 2605 properties: 2606 appRole: 2607 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. 2608 type: object 2609 required: 2610 - path 2611 - roleId 2612 - secretRef 2613 properties: 2614 path: 2615 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' 2616 type: string 2617 roleId: 2618 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. 2619 type: string 2620 secretRef: 2621 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. 2622 type: object 2623 required: 2624 - name 2625 properties: 2626 key: 2627 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 2628 type: string 2629 name: 2630 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 2631 type: string 2632 kubernetes: 2633 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. 2634 type: object 2635 required: 2636 - role 2637 - secretRef 2638 properties: 2639 mountPath: 2640 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used. 2641 type: string 2642 role: 2643 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. 2644 type: string 2645 secretRef: 2646 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported. 2647 type: object 2648 required: 2649 - name 2650 properties: 2651 key: 2652 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 2653 type: string 2654 name: 2655 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 2656 type: string 2657 tokenSecretRef: 2658 description: TokenSecretRef authenticates with Vault by presenting a token. 2659 type: object 2660 required: 2661 - name 2662 properties: 2663 key: 2664 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 2665 type: string 2666 name: 2667 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 2668 type: string 2669 caBundle: 2670 description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. 2671 type: string 2672 format: byte 2673 namespace: 2674 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' 2675 type: string 2676 path: 2677 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' 2678 type: string 2679 server: 2680 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' 2681 type: string 2682 venafi: 2683 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone. 2684 type: object 2685 required: 2686 - zone 2687 properties: 2688 cloud: 2689 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified. 2690 type: object 2691 required: 2692 - apiTokenSecretRef 2693 properties: 2694 apiTokenSecretRef: 2695 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. 2696 type: object 2697 required: 2698 - name 2699 properties: 2700 key: 2701 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 2702 type: string 2703 name: 2704 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 2705 type: string 2706 url: 2707 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1". 2708 type: string 2709 tpp: 2710 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified. 2711 type: object 2712 required: 2713 - credentialsRef 2714 - url 2715 properties: 2716 caBundle: 2717 description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates. 2718 type: string 2719 format: byte 2720 credentialsRef: 2721 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'. 2722 type: object 2723 required: 2724 - name 2725 properties: 2726 name: 2727 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 2728 type: string 2729 url: 2730 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' 2731 type: string 2732 zone: 2733 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required. 2734 type: string 2735 status: 2736 description: Status of the ClusterIssuer. This is set and managed automatically. 2737 type: object 2738 properties: 2739 acme: 2740 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates. 2741 type: object 2742 properties: 2743 lastRegisteredEmail: 2744 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer 2745 type: string 2746 uri: 2747 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA 2748 type: string 2749 conditions: 2750 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`. 2751 type: array 2752 items: 2753 description: IssuerCondition contains condition information for an Issuer. 2754 type: object 2755 required: 2756 - status 2757 - type 2758 properties: 2759 lastTransitionTime: 2760 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. 2761 type: string 2762 format: date-time 2763 message: 2764 description: Message is a human readable description of the details of the last transition, complementing reason. 2765 type: string 2766 observedGeneration: 2767 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer. 2768 type: integer 2769 format: int64 2770 reason: 2771 description: Reason is a brief machine readable explanation for the condition's last transition. 2772 type: string 2773 status: 2774 description: Status of the condition, one of (`True`, `False`, `Unknown`). 2775 type: string 2776 enum: 2777 - "True" 2778 - "False" 2779 - Unknown 2780 type: 2781 description: Type of the condition, known values are (`Ready`). 2782 type: string 2783 served: true 2784 storage: true 2785 --- 2786 # Source: cert-manager/templates/templates.out 2787 apiVersion: apiextensions.k8s.io/v1 2788 kind: CustomResourceDefinition 2789 metadata: 2790 name: issuers.cert-manager.io 2791 annotations: 2792 cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca' 2793 labels: 2794 app: 'cert-manager' 2795 app.kubernetes.io/name: 'cert-manager' 2796 app.kubernetes.io/instance: 'cert-manager' 2797 # Generated labels 2798 app.kubernetes.io/version: "v1.7.1" 2799 spec: 2800 group: cert-manager.io 2801 names: 2802 kind: Issuer 2803 listKind: IssuerList 2804 plural: issuers 2805 singular: issuer 2806 categories: 2807 - cert-manager 2808 scope: Namespaced 2809 versions: 2810 - name: v1 2811 subresources: 2812 status: {} 2813 additionalPrinterColumns: 2814 - jsonPath: .status.conditions[?(@.type=="Ready")].status 2815 name: Ready 2816 type: string 2817 - jsonPath: .status.conditions[?(@.type=="Ready")].message 2818 name: Status 2819 priority: 1 2820 type: string 2821 - jsonPath: .metadata.creationTimestamp 2822 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 2823 name: Age 2824 type: date 2825 schema: 2826 openAPIV3Schema: 2827 description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace. 2828 type: object 2829 required: 2830 - spec 2831 properties: 2832 apiVersion: 2833 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2834 type: string 2835 kind: 2836 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2837 type: string 2838 metadata: 2839 type: object 2840 spec: 2841 description: Desired state of the Issuer resource. 2842 type: object 2843 properties: 2844 acme: 2845 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates. 2846 type: object 2847 required: 2848 - privateKeySecretRef 2849 - server 2850 properties: 2851 disableAccountKeyGeneration: 2852 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false. 2853 type: boolean 2854 email: 2855 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. 2856 type: string 2857 enableDurationFeature: 2858 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. 2859 type: boolean 2860 externalAccountBinding: 2861 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. 2862 type: object 2863 required: 2864 - keyID 2865 - keySecretRef 2866 properties: 2867 keyAlgorithm: 2868 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.' 2869 type: string 2870 enum: 2871 - HS256 2872 - HS384 2873 - HS512 2874 keyID: 2875 description: keyID is the ID of the CA key that the External Account is bound to. 2876 type: string 2877 keySecretRef: 2878 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data. 2879 type: object 2880 required: 2881 - name 2882 properties: 2883 key: 2884 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 2885 type: string 2886 name: 2887 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 2888 type: string 2889 preferredChain: 2890 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN' 2891 type: string 2892 maxLength: 64 2893 privateKeySecretRef: 2894 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used. 2895 type: object 2896 required: 2897 - name 2898 properties: 2899 key: 2900 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 2901 type: string 2902 name: 2903 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 2904 type: string 2905 server: 2906 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' 2907 type: string 2908 skipTLSVerify: 2909 description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false. 2910 type: boolean 2911 solvers: 2912 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' 2913 type: array 2914 items: 2915 description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided. 2916 type: object 2917 properties: 2918 dns01: 2919 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. 2920 type: object 2921 properties: 2922 acmeDNS: 2923 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. 2924 type: object 2925 required: 2926 - accountSecretRef 2927 - host 2928 properties: 2929 accountSecretRef: 2930 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 2931 type: object 2932 required: 2933 - name 2934 properties: 2935 key: 2936 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 2937 type: string 2938 name: 2939 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 2940 type: string 2941 host: 2942 type: string 2943 akamai: 2944 description: Use the Akamai DNS zone management API to manage DNS01 challenge records. 2945 type: object 2946 required: 2947 - accessTokenSecretRef 2948 - clientSecretSecretRef 2949 - clientTokenSecretRef 2950 - serviceConsumerDomain 2951 properties: 2952 accessTokenSecretRef: 2953 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 2954 type: object 2955 required: 2956 - name 2957 properties: 2958 key: 2959 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 2960 type: string 2961 name: 2962 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 2963 type: string 2964 clientSecretSecretRef: 2965 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 2966 type: object 2967 required: 2968 - name 2969 properties: 2970 key: 2971 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 2972 type: string 2973 name: 2974 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 2975 type: string 2976 clientTokenSecretRef: 2977 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 2978 type: object 2979 required: 2980 - name 2981 properties: 2982 key: 2983 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 2984 type: string 2985 name: 2986 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 2987 type: string 2988 serviceConsumerDomain: 2989 type: string 2990 azureDNS: 2991 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. 2992 type: object 2993 required: 2994 - resourceGroupName 2995 - subscriptionID 2996 properties: 2997 clientID: 2998 description: if both this and ClientSecret are left unset MSI will be used 2999 type: string 3000 clientSecretSecretRef: 3001 description: if both this and ClientID are left unset MSI will be used 3002 type: object 3003 required: 3004 - name 3005 properties: 3006 key: 3007 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3008 type: string 3009 name: 3010 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3011 type: string 3012 environment: 3013 description: name of the Azure environment (default AzurePublicCloud) 3014 type: string 3015 enum: 3016 - AzurePublicCloud 3017 - AzureChinaCloud 3018 - AzureGermanCloud 3019 - AzureUSGovernmentCloud 3020 hostedZoneName: 3021 description: name of the DNS zone that should be used 3022 type: string 3023 managedIdentity: 3024 description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID 3025 type: object 3026 properties: 3027 clientID: 3028 description: client ID of the managed identity, can not be used at the same time as resourceID 3029 type: string 3030 resourceID: 3031 description: resource ID of the managed identity, can not be used at the same time as clientID 3032 type: string 3033 resourceGroupName: 3034 description: resource group the DNS zone is located in 3035 type: string 3036 subscriptionID: 3037 description: ID of the Azure subscription 3038 type: string 3039 tenantID: 3040 description: when specifying ClientID and ClientSecret then this field is also needed 3041 type: string 3042 cloudDNS: 3043 description: Use the Google Cloud DNS API to manage DNS01 challenge records. 3044 type: object 3045 required: 3046 - project 3047 properties: 3048 hostedZoneName: 3049 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. 3050 type: string 3051 project: 3052 type: string 3053 serviceAccountSecretRef: 3054 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 3055 type: object 3056 required: 3057 - name 3058 properties: 3059 key: 3060 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3061 type: string 3062 name: 3063 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3064 type: string 3065 cloudflare: 3066 description: Use the Cloudflare API to manage DNS01 challenge records. 3067 type: object 3068 properties: 3069 apiKeySecretRef: 3070 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' 3071 type: object 3072 required: 3073 - name 3074 properties: 3075 key: 3076 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3077 type: string 3078 name: 3079 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3080 type: string 3081 apiTokenSecretRef: 3082 description: API token used to authenticate with Cloudflare. 3083 type: object 3084 required: 3085 - name 3086 properties: 3087 key: 3088 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3089 type: string 3090 name: 3091 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3092 type: string 3093 email: 3094 description: Email of the account, only required when using API key based authentication. 3095 type: string 3096 cnameStrategy: 3097 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. 3098 type: string 3099 enum: 3100 - None 3101 - Follow 3102 digitalocean: 3103 description: Use the DigitalOcean DNS API to manage DNS01 challenge records. 3104 type: object 3105 required: 3106 - tokenSecretRef 3107 properties: 3108 tokenSecretRef: 3109 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 3110 type: object 3111 required: 3112 - name 3113 properties: 3114 key: 3115 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3116 type: string 3117 name: 3118 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3119 type: string 3120 rfc2136: 3121 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. 3122 type: object 3123 required: 3124 - nameserver 3125 properties: 3126 nameserver: 3127 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required. 3128 type: string 3129 tsigAlgorithm: 3130 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' 3131 type: string 3132 tsigKeyName: 3133 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. 3134 type: string 3135 tsigSecretSecretRef: 3136 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. 3137 type: object 3138 required: 3139 - name 3140 properties: 3141 key: 3142 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3143 type: string 3144 name: 3145 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3146 type: string 3147 route53: 3148 description: Use the AWS Route53 API to manage DNS01 challenge records. 3149 type: object 3150 required: 3151 - region 3152 properties: 3153 accessKeyID: 3154 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' 3155 type: string 3156 hostedZoneID: 3157 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. 3158 type: string 3159 region: 3160 description: Always set the region when using AccessKeyID and SecretAccessKey 3161 type: string 3162 role: 3163 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata 3164 type: string 3165 secretAccessKeySecretRef: 3166 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials 3167 type: object 3168 required: 3169 - name 3170 properties: 3171 key: 3172 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3173 type: string 3174 name: 3175 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3176 type: string 3177 webhook: 3178 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. 3179 type: object 3180 required: 3181 - groupName 3182 - solverName 3183 properties: 3184 config: 3185 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. 3186 x-kubernetes-preserve-unknown-fields: true 3187 groupName: 3188 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. 3189 type: string 3190 solverName: 3191 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. 3192 type: string 3193 http01: 3194 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. 3195 type: object 3196 properties: 3197 gatewayHTTPRoute: 3198 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. 3199 type: object 3200 properties: 3201 labels: 3202 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway. 3203 type: object 3204 additionalProperties: 3205 type: string 3206 serviceType: 3207 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. 3208 type: string 3209 ingress: 3210 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. 3211 type: object 3212 properties: 3213 class: 3214 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified. 3215 type: string 3216 ingressTemplate: 3217 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. 3218 type: object 3219 properties: 3220 metadata: 3221 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. 3222 type: object 3223 properties: 3224 annotations: 3225 description: Annotations that should be added to the created ACME HTTP01 solver ingress. 3226 type: object 3227 additionalProperties: 3228 type: string 3229 labels: 3230 description: Labels that should be added to the created ACME HTTP01 solver ingress. 3231 type: object 3232 additionalProperties: 3233 type: string 3234 name: 3235 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. 3236 type: string 3237 podTemplate: 3238 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. 3239 type: object 3240 properties: 3241 metadata: 3242 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. 3243 type: object 3244 properties: 3245 annotations: 3246 description: Annotations that should be added to the create ACME HTTP01 solver pods. 3247 type: object 3248 additionalProperties: 3249 type: string 3250 labels: 3251 description: Labels that should be added to the created ACME HTTP01 solver pods. 3252 type: object 3253 additionalProperties: 3254 type: string 3255 spec: 3256 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored. 3257 type: object 3258 properties: 3259 affinity: 3260 description: If specified, the pod's scheduling constraints 3261 type: object 3262 properties: 3263 nodeAffinity: 3264 description: Describes node affinity scheduling rules for the pod. 3265 type: object 3266 properties: 3267 preferredDuringSchedulingIgnoredDuringExecution: 3268 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. 3269 type: array 3270 items: 3271 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). 3272 type: object 3273 required: 3274 - preference 3275 - weight 3276 properties: 3277 preference: 3278 description: A node selector term, associated with the corresponding weight. 3279 type: object 3280 properties: 3281 matchExpressions: 3282 description: A list of node selector requirements by node's labels. 3283 type: array 3284 items: 3285 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3286 type: object 3287 required: 3288 - key 3289 - operator 3290 properties: 3291 key: 3292 description: The label key that the selector applies to. 3293 type: string 3294 operator: 3295 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 3296 type: string 3297 values: 3298 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 3299 type: array 3300 items: 3301 type: string 3302 matchFields: 3303 description: A list of node selector requirements by node's fields. 3304 type: array 3305 items: 3306 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3307 type: object 3308 required: 3309 - key 3310 - operator 3311 properties: 3312 key: 3313 description: The label key that the selector applies to. 3314 type: string 3315 operator: 3316 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 3317 type: string 3318 values: 3319 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 3320 type: array 3321 items: 3322 type: string 3323 weight: 3324 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. 3325 type: integer 3326 format: int32 3327 requiredDuringSchedulingIgnoredDuringExecution: 3328 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. 3329 type: object 3330 required: 3331 - nodeSelectorTerms 3332 properties: 3333 nodeSelectorTerms: 3334 description: Required. A list of node selector terms. The terms are ORed. 3335 type: array 3336 items: 3337 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. 3338 type: object 3339 properties: 3340 matchExpressions: 3341 description: A list of node selector requirements by node's labels. 3342 type: array 3343 items: 3344 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3345 type: object 3346 required: 3347 - key 3348 - operator 3349 properties: 3350 key: 3351 description: The label key that the selector applies to. 3352 type: string 3353 operator: 3354 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 3355 type: string 3356 values: 3357 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 3358 type: array 3359 items: 3360 type: string 3361 matchFields: 3362 description: A list of node selector requirements by node's fields. 3363 type: array 3364 items: 3365 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3366 type: object 3367 required: 3368 - key 3369 - operator 3370 properties: 3371 key: 3372 description: The label key that the selector applies to. 3373 type: string 3374 operator: 3375 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 3376 type: string 3377 values: 3378 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 3379 type: array 3380 items: 3381 type: string 3382 podAffinity: 3383 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). 3384 type: object 3385 properties: 3386 preferredDuringSchedulingIgnoredDuringExecution: 3387 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. 3388 type: array 3389 items: 3390 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 3391 type: object 3392 required: 3393 - podAffinityTerm 3394 - weight 3395 properties: 3396 podAffinityTerm: 3397 description: Required. A pod affinity term, associated with the corresponding weight. 3398 type: object 3399 required: 3400 - topologyKey 3401 properties: 3402 labelSelector: 3403 description: A label query over a set of resources, in this case pods. 3404 type: object 3405 properties: 3406 matchExpressions: 3407 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3408 type: array 3409 items: 3410 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3411 type: object 3412 required: 3413 - key 3414 - operator 3415 properties: 3416 key: 3417 description: key is the label key that the selector applies to. 3418 type: string 3419 operator: 3420 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 3421 type: string 3422 values: 3423 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 3424 type: array 3425 items: 3426 type: string 3427 matchLabels: 3428 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 3429 type: object 3430 additionalProperties: 3431 type: string 3432 namespaceSelector: 3433 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. 3434 type: object 3435 properties: 3436 matchExpressions: 3437 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3438 type: array 3439 items: 3440 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3441 type: object 3442 required: 3443 - key 3444 - operator 3445 properties: 3446 key: 3447 description: key is the label key that the selector applies to. 3448 type: string 3449 operator: 3450 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 3451 type: string 3452 values: 3453 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 3454 type: array 3455 items: 3456 type: string 3457 matchLabels: 3458 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 3459 type: object 3460 additionalProperties: 3461 type: string 3462 namespaces: 3463 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" 3464 type: array 3465 items: 3466 type: string 3467 topologyKey: 3468 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 3469 type: string 3470 weight: 3471 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. 3472 type: integer 3473 format: int32 3474 requiredDuringSchedulingIgnoredDuringExecution: 3475 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. 3476 type: array 3477 items: 3478 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running 3479 type: object 3480 required: 3481 - topologyKey 3482 properties: 3483 labelSelector: 3484 description: A label query over a set of resources, in this case pods. 3485 type: object 3486 properties: 3487 matchExpressions: 3488 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3489 type: array 3490 items: 3491 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3492 type: object 3493 required: 3494 - key 3495 - operator 3496 properties: 3497 key: 3498 description: key is the label key that the selector applies to. 3499 type: string 3500 operator: 3501 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 3502 type: string 3503 values: 3504 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 3505 type: array 3506 items: 3507 type: string 3508 matchLabels: 3509 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 3510 type: object 3511 additionalProperties: 3512 type: string 3513 namespaceSelector: 3514 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. 3515 type: object 3516 properties: 3517 matchExpressions: 3518 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3519 type: array 3520 items: 3521 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3522 type: object 3523 required: 3524 - key 3525 - operator 3526 properties: 3527 key: 3528 description: key is the label key that the selector applies to. 3529 type: string 3530 operator: 3531 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 3532 type: string 3533 values: 3534 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 3535 type: array 3536 items: 3537 type: string 3538 matchLabels: 3539 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 3540 type: object 3541 additionalProperties: 3542 type: string 3543 namespaces: 3544 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" 3545 type: array 3546 items: 3547 type: string 3548 topologyKey: 3549 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 3550 type: string 3551 podAntiAffinity: 3552 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). 3553 type: object 3554 properties: 3555 preferredDuringSchedulingIgnoredDuringExecution: 3556 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. 3557 type: array 3558 items: 3559 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 3560 type: object 3561 required: 3562 - podAffinityTerm 3563 - weight 3564 properties: 3565 podAffinityTerm: 3566 description: Required. A pod affinity term, associated with the corresponding weight. 3567 type: object 3568 required: 3569 - topologyKey 3570 properties: 3571 labelSelector: 3572 description: A label query over a set of resources, in this case pods. 3573 type: object 3574 properties: 3575 matchExpressions: 3576 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3577 type: array 3578 items: 3579 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3580 type: object 3581 required: 3582 - key 3583 - operator 3584 properties: 3585 key: 3586 description: key is the label key that the selector applies to. 3587 type: string 3588 operator: 3589 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 3590 type: string 3591 values: 3592 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 3593 type: array 3594 items: 3595 type: string 3596 matchLabels: 3597 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 3598 type: object 3599 additionalProperties: 3600 type: string 3601 namespaceSelector: 3602 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. 3603 type: object 3604 properties: 3605 matchExpressions: 3606 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3607 type: array 3608 items: 3609 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3610 type: object 3611 required: 3612 - key 3613 - operator 3614 properties: 3615 key: 3616 description: key is the label key that the selector applies to. 3617 type: string 3618 operator: 3619 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 3620 type: string 3621 values: 3622 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 3623 type: array 3624 items: 3625 type: string 3626 matchLabels: 3627 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 3628 type: object 3629 additionalProperties: 3630 type: string 3631 namespaces: 3632 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" 3633 type: array 3634 items: 3635 type: string 3636 topologyKey: 3637 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 3638 type: string 3639 weight: 3640 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. 3641 type: integer 3642 format: int32 3643 requiredDuringSchedulingIgnoredDuringExecution: 3644 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. 3645 type: array 3646 items: 3647 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running 3648 type: object 3649 required: 3650 - topologyKey 3651 properties: 3652 labelSelector: 3653 description: A label query over a set of resources, in this case pods. 3654 type: object 3655 properties: 3656 matchExpressions: 3657 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3658 type: array 3659 items: 3660 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3661 type: object 3662 required: 3663 - key 3664 - operator 3665 properties: 3666 key: 3667 description: key is the label key that the selector applies to. 3668 type: string 3669 operator: 3670 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 3671 type: string 3672 values: 3673 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 3674 type: array 3675 items: 3676 type: string 3677 matchLabels: 3678 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 3679 type: object 3680 additionalProperties: 3681 type: string 3682 namespaceSelector: 3683 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. 3684 type: object 3685 properties: 3686 matchExpressions: 3687 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3688 type: array 3689 items: 3690 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 3691 type: object 3692 required: 3693 - key 3694 - operator 3695 properties: 3696 key: 3697 description: key is the label key that the selector applies to. 3698 type: string 3699 operator: 3700 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 3701 type: string 3702 values: 3703 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 3704 type: array 3705 items: 3706 type: string 3707 matchLabels: 3708 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 3709 type: object 3710 additionalProperties: 3711 type: string 3712 namespaces: 3713 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" 3714 type: array 3715 items: 3716 type: string 3717 topologyKey: 3718 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 3719 type: string 3720 nodeSelector: 3721 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' 3722 type: object 3723 additionalProperties: 3724 type: string 3725 priorityClassName: 3726 description: If specified, the pod's priorityClassName. 3727 type: string 3728 serviceAccountName: 3729 description: If specified, the pod's service account 3730 type: string 3731 tolerations: 3732 description: If specified, the pod's tolerations. 3733 type: array 3734 items: 3735 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>. 3736 type: object 3737 properties: 3738 effect: 3739 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. 3740 type: string 3741 key: 3742 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. 3743 type: string 3744 operator: 3745 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. 3746 type: string 3747 tolerationSeconds: 3748 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. 3749 type: integer 3750 format: int64 3751 value: 3752 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. 3753 type: string 3754 serviceType: 3755 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. 3756 type: string 3757 selector: 3758 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. 3759 type: object 3760 properties: 3761 dnsNames: 3762 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. 3763 type: array 3764 items: 3765 type: string 3766 dnsZones: 3767 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. 3768 type: array 3769 items: 3770 type: string 3771 matchLabels: 3772 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. 3773 type: object 3774 additionalProperties: 3775 type: string 3776 ca: 3777 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager. 3778 type: object 3779 required: 3780 - secretName 3781 properties: 3782 crlDistributionPoints: 3783 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set. 3784 type: array 3785 items: 3786 type: string 3787 ocspServers: 3788 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". 3789 type: array 3790 items: 3791 type: string 3792 secretName: 3793 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer. 3794 type: string 3795 selfSigned: 3796 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object. 3797 type: object 3798 properties: 3799 crlDistributionPoints: 3800 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings. 3801 type: array 3802 items: 3803 type: string 3804 vault: 3805 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend. 3806 type: object 3807 required: 3808 - auth 3809 - path 3810 - server 3811 properties: 3812 auth: 3813 description: Auth configures how cert-manager authenticates with the Vault server. 3814 type: object 3815 properties: 3816 appRole: 3817 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. 3818 type: object 3819 required: 3820 - path 3821 - roleId 3822 - secretRef 3823 properties: 3824 path: 3825 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' 3826 type: string 3827 roleId: 3828 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. 3829 type: string 3830 secretRef: 3831 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. 3832 type: object 3833 required: 3834 - name 3835 properties: 3836 key: 3837 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3838 type: string 3839 name: 3840 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3841 type: string 3842 kubernetes: 3843 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. 3844 type: object 3845 required: 3846 - role 3847 - secretRef 3848 properties: 3849 mountPath: 3850 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used. 3851 type: string 3852 role: 3853 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. 3854 type: string 3855 secretRef: 3856 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported. 3857 type: object 3858 required: 3859 - name 3860 properties: 3861 key: 3862 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3863 type: string 3864 name: 3865 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3866 type: string 3867 tokenSecretRef: 3868 description: TokenSecretRef authenticates with Vault by presenting a token. 3869 type: object 3870 required: 3871 - name 3872 properties: 3873 key: 3874 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3875 type: string 3876 name: 3877 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3878 type: string 3879 caBundle: 3880 description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. 3881 type: string 3882 format: byte 3883 namespace: 3884 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' 3885 type: string 3886 path: 3887 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' 3888 type: string 3889 server: 3890 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' 3891 type: string 3892 venafi: 3893 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone. 3894 type: object 3895 required: 3896 - zone 3897 properties: 3898 cloud: 3899 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified. 3900 type: object 3901 required: 3902 - apiTokenSecretRef 3903 properties: 3904 apiTokenSecretRef: 3905 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. 3906 type: object 3907 required: 3908 - name 3909 properties: 3910 key: 3911 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 3912 type: string 3913 name: 3914 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3915 type: string 3916 url: 3917 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1". 3918 type: string 3919 tpp: 3920 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified. 3921 type: object 3922 required: 3923 - credentialsRef 3924 - url 3925 properties: 3926 caBundle: 3927 description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates. 3928 type: string 3929 format: byte 3930 credentialsRef: 3931 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'. 3932 type: object 3933 required: 3934 - name 3935 properties: 3936 name: 3937 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 3938 type: string 3939 url: 3940 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' 3941 type: string 3942 zone: 3943 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required. 3944 type: string 3945 status: 3946 description: Status of the Issuer. This is set and managed automatically. 3947 type: object 3948 properties: 3949 acme: 3950 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates. 3951 type: object 3952 properties: 3953 lastRegisteredEmail: 3954 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer 3955 type: string 3956 uri: 3957 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA 3958 type: string 3959 conditions: 3960 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`. 3961 type: array 3962 items: 3963 description: IssuerCondition contains condition information for an Issuer. 3964 type: object 3965 required: 3966 - status 3967 - type 3968 properties: 3969 lastTransitionTime: 3970 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. 3971 type: string 3972 format: date-time 3973 message: 3974 description: Message is a human readable description of the details of the last transition, complementing reason. 3975 type: string 3976 observedGeneration: 3977 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer. 3978 type: integer 3979 format: int64 3980 reason: 3981 description: Reason is a brief machine readable explanation for the condition's last transition. 3982 type: string 3983 status: 3984 description: Status of the condition, one of (`True`, `False`, `Unknown`). 3985 type: string 3986 enum: 3987 - "True" 3988 - "False" 3989 - Unknown 3990 type: 3991 description: Type of the condition, known values are (`Ready`). 3992 type: string 3993 served: true 3994 storage: true 3995 --- 3996 # Source: cert-manager/templates/templates.out 3997 apiVersion: apiextensions.k8s.io/v1 3998 kind: CustomResourceDefinition 3999 metadata: 4000 name: orders.acme.cert-manager.io 4001 annotations: 4002 cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca' 4003 labels: 4004 app: 'cert-manager' 4005 app.kubernetes.io/name: 'cert-manager' 4006 app.kubernetes.io/instance: 'cert-manager' 4007 # Generated labels 4008 app.kubernetes.io/version: "v1.7.1" 4009 spec: 4010 group: acme.cert-manager.io 4011 names: 4012 kind: Order 4013 listKind: OrderList 4014 plural: orders 4015 singular: order 4016 categories: 4017 - cert-manager 4018 - cert-manager-acme 4019 scope: Namespaced 4020 versions: 4021 - name: v1 4022 subresources: 4023 status: {} 4024 additionalPrinterColumns: 4025 - jsonPath: .status.state 4026 name: State 4027 type: string 4028 - jsonPath: .spec.issuerRef.name 4029 name: Issuer 4030 priority: 1 4031 type: string 4032 - jsonPath: .status.reason 4033 name: Reason 4034 priority: 1 4035 type: string 4036 - jsonPath: .metadata.creationTimestamp 4037 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 4038 name: Age 4039 type: date 4040 schema: 4041 openAPIV3Schema: 4042 description: Order is a type to represent an Order with an ACME server 4043 type: object 4044 required: 4045 - metadata 4046 - spec 4047 properties: 4048 apiVersion: 4049 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 4050 type: string 4051 kind: 4052 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 4053 type: string 4054 metadata: 4055 type: object 4056 spec: 4057 type: object 4058 required: 4059 - issuerRef 4060 - request 4061 properties: 4062 commonName: 4063 description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR. 4064 type: string 4065 dnsNames: 4066 description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR. 4067 type: array 4068 items: 4069 type: string 4070 duration: 4071 description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec. 4072 type: string 4073 ipAddresses: 4074 description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR. 4075 type: array 4076 items: 4077 type: string 4078 issuerRef: 4079 description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed. 4080 type: object 4081 required: 4082 - name 4083 properties: 4084 group: 4085 description: Group of the resource being referred to. 4086 type: string 4087 kind: 4088 description: Kind of the resource being referred to. 4089 type: string 4090 name: 4091 description: Name of the resource being referred to. 4092 type: string 4093 request: 4094 description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order. 4095 type: string 4096 format: byte 4097 status: 4098 type: object 4099 properties: 4100 authorizations: 4101 description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order. 4102 type: array 4103 items: 4104 description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource. 4105 type: object 4106 required: 4107 - url 4108 properties: 4109 challenges: 4110 description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process. 4111 type: array 4112 items: 4113 description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process. 4114 type: object 4115 required: 4116 - token 4117 - type 4118 - url 4119 properties: 4120 token: 4121 description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented. 4122 type: string 4123 type: 4124 description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored. 4125 type: string 4126 url: 4127 description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server. 4128 type: string 4129 identifier: 4130 description: Identifier is the DNS name to be validated as part of this authorization 4131 type: string 4132 initialState: 4133 description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created. 4134 type: string 4135 enum: 4136 - valid 4137 - ready 4138 - pending 4139 - processing 4140 - invalid 4141 - expired 4142 - errored 4143 url: 4144 description: URL is the URL of the Authorization that must be completed 4145 type: string 4146 wildcard: 4147 description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'. 4148 type: boolean 4149 certificate: 4150 description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state. 4151 type: string 4152 format: byte 4153 failureTime: 4154 description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off. 4155 type: string 4156 format: date-time 4157 finalizeURL: 4158 description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed. 4159 type: string 4160 reason: 4161 description: Reason optionally provides more information about a why the order is in the current state. 4162 type: string 4163 state: 4164 description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final' 4165 type: string 4166 enum: 4167 - valid 4168 - ready 4169 - pending 4170 - processing 4171 - invalid 4172 - expired 4173 - errored 4174 url: 4175 description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set. 4176 type: string 4177 served: true 4178 storage: true