github.com/wmuizelaar/kpt@v0.0.0-20221018115725-bd564717b2ed/package-examples/cert-manager-basic/crds/customresourcedefinition-challenges-acme-cert-manager-io.yaml (about) 1 # Source: cert-manager/templates/crd-templates.yaml 2 apiVersion: apiextensions.k8s.io/v1 3 kind: CustomResourceDefinition 4 metadata: 5 name: challenges.acme.cert-manager.io 6 labels: 7 app: 'cert-manager' 8 app.kubernetes.io/name: 'cert-manager' 9 app.kubernetes.io/instance: 'cert-manager' 10 # Generated labels 11 app.kubernetes.io/version: "v1.8.2" 12 spec: 13 group: acme.cert-manager.io 14 names: 15 kind: Challenge 16 listKind: ChallengeList 17 plural: challenges 18 singular: challenge 19 categories: 20 - cert-manager 21 - cert-manager-acme 22 scope: Namespaced 23 versions: 24 - additionalPrinterColumns: 25 - jsonPath: .status.state 26 name: State 27 type: string 28 - jsonPath: .spec.dnsName 29 name: Domain 30 type: string 31 - jsonPath: .status.reason 32 name: Reason 33 priority: 1 34 type: string 35 - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 36 jsonPath: .metadata.creationTimestamp 37 name: Age 38 type: date 39 name: v1 40 schema: 41 openAPIV3Schema: 42 description: Challenge is a type to represent a Challenge request with an ACME server 43 type: object 44 required: 45 - metadata 46 - spec 47 properties: 48 apiVersion: 49 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 50 type: string 51 kind: 52 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 53 type: string 54 metadata: 55 type: object 56 spec: 57 type: object 58 required: 59 - authorizationURL 60 - dnsName 61 - issuerRef 62 - key 63 - solver 64 - token 65 - type 66 - url 67 properties: 68 authorizationURL: 69 description: The URL to the ACME Authorization resource that this challenge is a part of. 70 type: string 71 dnsName: 72 description: dnsName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`. 73 type: string 74 issuerRef: 75 description: References a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed. 76 type: object 77 required: 78 - name 79 properties: 80 group: 81 description: Group of the resource being referred to. 82 type: string 83 kind: 84 description: Kind of the resource being referred to. 85 type: string 86 name: 87 description: Name of the resource being referred to. 88 type: string 89 key: 90 description: 'The ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key from acme server for challenge>`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key from acme server for challenge>` text that must be set as the TXT record content.' 91 type: string 92 solver: 93 description: Contains the domain solving configuration that should be used to solve this challenge resource. 94 type: object 95 properties: 96 dns01: 97 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. 98 type: object 99 properties: 100 acmeDNS: 101 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. 102 type: object 103 required: 104 - accountSecretRef 105 - host 106 properties: 107 accountSecretRef: 108 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 109 type: object 110 required: 111 - name 112 properties: 113 key: 114 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 115 type: string 116 name: 117 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 118 type: string 119 host: 120 type: string 121 akamai: 122 description: Use the Akamai DNS zone management API to manage DNS01 challenge records. 123 type: object 124 required: 125 - accessTokenSecretRef 126 - clientSecretSecretRef 127 - clientTokenSecretRef 128 - serviceConsumerDomain 129 properties: 130 accessTokenSecretRef: 131 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 132 type: object 133 required: 134 - name 135 properties: 136 key: 137 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 138 type: string 139 name: 140 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 141 type: string 142 clientSecretSecretRef: 143 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 144 type: object 145 required: 146 - name 147 properties: 148 key: 149 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 150 type: string 151 name: 152 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 153 type: string 154 clientTokenSecretRef: 155 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 156 type: object 157 required: 158 - name 159 properties: 160 key: 161 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 162 type: string 163 name: 164 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 165 type: string 166 serviceConsumerDomain: 167 type: string 168 azureDNS: 169 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. 170 type: object 171 required: 172 - resourceGroupName 173 - subscriptionID 174 properties: 175 clientID: 176 description: if both this and ClientSecret are left unset MSI will be used 177 type: string 178 clientSecretSecretRef: 179 description: if both this and ClientID are left unset MSI will be used 180 type: object 181 required: 182 - name 183 properties: 184 key: 185 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 186 type: string 187 name: 188 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 189 type: string 190 environment: 191 description: name of the Azure environment (default AzurePublicCloud) 192 type: string 193 enum: 194 - AzurePublicCloud 195 - AzureChinaCloud 196 - AzureGermanCloud 197 - AzureUSGovernmentCloud 198 hostedZoneName: 199 description: name of the DNS zone that should be used 200 type: string 201 managedIdentity: 202 description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID 203 type: object 204 properties: 205 clientID: 206 description: client ID of the managed identity, can not be used at the same time as resourceID 207 type: string 208 resourceID: 209 description: resource ID of the managed identity, can not be used at the same time as clientID 210 type: string 211 resourceGroupName: 212 description: resource group the DNS zone is located in 213 type: string 214 subscriptionID: 215 description: ID of the Azure subscription 216 type: string 217 tenantID: 218 description: when specifying ClientID and ClientSecret then this field is also needed 219 type: string 220 cloudDNS: 221 description: Use the Google Cloud DNS API to manage DNS01 challenge records. 222 type: object 223 required: 224 - project 225 properties: 226 hostedZoneName: 227 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. 228 type: string 229 project: 230 type: string 231 serviceAccountSecretRef: 232 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 233 type: object 234 required: 235 - name 236 properties: 237 key: 238 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 239 type: string 240 name: 241 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 242 type: string 243 cloudflare: 244 description: Use the Cloudflare API to manage DNS01 challenge records. 245 type: object 246 properties: 247 apiKeySecretRef: 248 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' 249 type: object 250 required: 251 - name 252 properties: 253 key: 254 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 255 type: string 256 name: 257 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 258 type: string 259 apiTokenSecretRef: 260 description: API token used to authenticate with Cloudflare. 261 type: object 262 required: 263 - name 264 properties: 265 key: 266 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 267 type: string 268 name: 269 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 270 type: string 271 email: 272 description: Email of the account, only required when using API key based authentication. 273 type: string 274 cnameStrategy: 275 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. 276 type: string 277 enum: 278 - None 279 - Follow 280 digitalocean: 281 description: Use the DigitalOcean DNS API to manage DNS01 challenge records. 282 type: object 283 required: 284 - tokenSecretRef 285 properties: 286 tokenSecretRef: 287 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 288 type: object 289 required: 290 - name 291 properties: 292 key: 293 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 294 type: string 295 name: 296 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 297 type: string 298 rfc2136: 299 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. 300 type: object 301 required: 302 - nameserver 303 properties: 304 nameserver: 305 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required. 306 type: string 307 tsigAlgorithm: 308 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' 309 type: string 310 tsigKeyName: 311 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. 312 type: string 313 tsigSecretSecretRef: 314 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. 315 type: object 316 required: 317 - name 318 properties: 319 key: 320 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 321 type: string 322 name: 323 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 324 type: string 325 route53: 326 description: Use the AWS Route53 API to manage DNS01 challenge records. 327 type: object 328 required: 329 - region 330 properties: 331 accessKeyID: 332 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' 333 type: string 334 hostedZoneID: 335 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. 336 type: string 337 region: 338 description: Always set the region when using AccessKeyID and SecretAccessKey 339 type: string 340 role: 341 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata 342 type: string 343 secretAccessKeySecretRef: 344 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials 345 type: object 346 required: 347 - name 348 properties: 349 key: 350 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 351 type: string 352 name: 353 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 354 type: string 355 webhook: 356 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. 357 type: object 358 required: 359 - groupName 360 - solverName 361 properties: 362 config: 363 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. 364 x-kubernetes-preserve-unknown-fields: true 365 groupName: 366 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. 367 type: string 368 solverName: 369 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. 370 type: string 371 http01: 372 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. 373 type: object 374 properties: 375 gatewayHTTPRoute: 376 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. 377 type: object 378 properties: 379 labels: 380 description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges. 381 type: object 382 additionalProperties: 383 type: string 384 parentRefs: 385 description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways' 386 type: array 387 items: 388 description: "ParentRef identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object." 389 type: object 390 required: 391 - name 392 properties: 393 group: 394 description: "Group is the group of the referent. \n Support: Core" 395 type: string 396 default: gateway.networking.k8s.io 397 maxLength: 253 398 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 399 kind: 400 description: "Kind is kind of the referent. \n Support: Core (Gateway) Support: Custom (Other Resources)" 401 type: string 402 default: Gateway 403 maxLength: 63 404 minLength: 1 405 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 406 name: 407 description: "Name is the name of the referent. \n Support: Core" 408 type: string 409 maxLength: 253 410 minLength: 1 411 namespace: 412 description: "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core" 413 type: string 414 maxLength: 63 415 minLength: 1 416 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 417 sectionName: 418 description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" 419 type: string 420 maxLength: 253 421 minLength: 1 422 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 423 serviceType: 424 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. 425 type: string 426 ingress: 427 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. 428 type: object 429 properties: 430 class: 431 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified. 432 type: string 433 ingressTemplate: 434 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. 435 type: object 436 properties: 437 metadata: 438 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. 439 type: object 440 properties: 441 annotations: 442 description: Annotations that should be added to the created ACME HTTP01 solver ingress. 443 type: object 444 additionalProperties: 445 type: string 446 labels: 447 description: Labels that should be added to the created ACME HTTP01 solver ingress. 448 type: object 449 additionalProperties: 450 type: string 451 name: 452 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. 453 type: string 454 podTemplate: 455 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. 456 type: object 457 properties: 458 metadata: 459 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. 460 type: object 461 properties: 462 annotations: 463 description: Annotations that should be added to the create ACME HTTP01 solver pods. 464 type: object 465 additionalProperties: 466 type: string 467 labels: 468 description: Labels that should be added to the created ACME HTTP01 solver pods. 469 type: object 470 additionalProperties: 471 type: string 472 spec: 473 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored. 474 type: object 475 properties: 476 affinity: 477 description: If specified, the pod's scheduling constraints 478 type: object 479 properties: 480 nodeAffinity: 481 description: Describes node affinity scheduling rules for the pod. 482 type: object 483 properties: 484 preferredDuringSchedulingIgnoredDuringExecution: 485 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. 486 type: array 487 items: 488 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). 489 type: object 490 required: 491 - preference 492 - weight 493 properties: 494 preference: 495 description: A node selector term, associated with the corresponding weight. 496 type: object 497 properties: 498 matchExpressions: 499 description: A list of node selector requirements by node's labels. 500 type: array 501 items: 502 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 503 type: object 504 required: 505 - key 506 - operator 507 properties: 508 key: 509 description: The label key that the selector applies to. 510 type: string 511 operator: 512 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 513 type: string 514 values: 515 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 516 type: array 517 items: 518 type: string 519 matchFields: 520 description: A list of node selector requirements by node's fields. 521 type: array 522 items: 523 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 524 type: object 525 required: 526 - key 527 - operator 528 properties: 529 key: 530 description: The label key that the selector applies to. 531 type: string 532 operator: 533 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 534 type: string 535 values: 536 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 537 type: array 538 items: 539 type: string 540 weight: 541 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. 542 type: integer 543 format: int32 544 requiredDuringSchedulingIgnoredDuringExecution: 545 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. 546 type: object 547 required: 548 - nodeSelectorTerms 549 properties: 550 nodeSelectorTerms: 551 description: Required. A list of node selector terms. The terms are ORed. 552 type: array 553 items: 554 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. 555 type: object 556 properties: 557 matchExpressions: 558 description: A list of node selector requirements by node's labels. 559 type: array 560 items: 561 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 562 type: object 563 required: 564 - key 565 - operator 566 properties: 567 key: 568 description: The label key that the selector applies to. 569 type: string 570 operator: 571 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 572 type: string 573 values: 574 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 575 type: array 576 items: 577 type: string 578 matchFields: 579 description: A list of node selector requirements by node's fields. 580 type: array 581 items: 582 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 583 type: object 584 required: 585 - key 586 - operator 587 properties: 588 key: 589 description: The label key that the selector applies to. 590 type: string 591 operator: 592 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 593 type: string 594 values: 595 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 596 type: array 597 items: 598 type: string 599 podAffinity: 600 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). 601 type: object 602 properties: 603 preferredDuringSchedulingIgnoredDuringExecution: 604 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. 605 type: array 606 items: 607 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 608 type: object 609 required: 610 - podAffinityTerm 611 - weight 612 properties: 613 podAffinityTerm: 614 description: Required. A pod affinity term, associated with the corresponding weight. 615 type: object 616 required: 617 - topologyKey 618 properties: 619 labelSelector: 620 description: A label query over a set of resources, in this case pods. 621 type: object 622 properties: 623 matchExpressions: 624 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 625 type: array 626 items: 627 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 628 type: object 629 required: 630 - key 631 - operator 632 properties: 633 key: 634 description: key is the label key that the selector applies to. 635 type: string 636 operator: 637 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 638 type: string 639 values: 640 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 641 type: array 642 items: 643 type: string 644 matchLabels: 645 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 646 type: object 647 additionalProperties: 648 type: string 649 namespaceSelector: 650 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. 651 type: object 652 properties: 653 matchExpressions: 654 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 655 type: array 656 items: 657 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 658 type: object 659 required: 660 - key 661 - operator 662 properties: 663 key: 664 description: key is the label key that the selector applies to. 665 type: string 666 operator: 667 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 668 type: string 669 values: 670 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 671 type: array 672 items: 673 type: string 674 matchLabels: 675 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 676 type: object 677 additionalProperties: 678 type: string 679 namespaces: 680 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" 681 type: array 682 items: 683 type: string 684 topologyKey: 685 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 686 type: string 687 weight: 688 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. 689 type: integer 690 format: int32 691 requiredDuringSchedulingIgnoredDuringExecution: 692 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. 693 type: array 694 items: 695 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running 696 type: object 697 required: 698 - topologyKey 699 properties: 700 labelSelector: 701 description: A label query over a set of resources, in this case pods. 702 type: object 703 properties: 704 matchExpressions: 705 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 706 type: array 707 items: 708 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 709 type: object 710 required: 711 - key 712 - operator 713 properties: 714 key: 715 description: key is the label key that the selector applies to. 716 type: string 717 operator: 718 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 719 type: string 720 values: 721 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 722 type: array 723 items: 724 type: string 725 matchLabels: 726 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 727 type: object 728 additionalProperties: 729 type: string 730 namespaceSelector: 731 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. 732 type: object 733 properties: 734 matchExpressions: 735 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 736 type: array 737 items: 738 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 739 type: object 740 required: 741 - key 742 - operator 743 properties: 744 key: 745 description: key is the label key that the selector applies to. 746 type: string 747 operator: 748 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 749 type: string 750 values: 751 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 752 type: array 753 items: 754 type: string 755 matchLabels: 756 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 757 type: object 758 additionalProperties: 759 type: string 760 namespaces: 761 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" 762 type: array 763 items: 764 type: string 765 topologyKey: 766 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 767 type: string 768 podAntiAffinity: 769 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). 770 type: object 771 properties: 772 preferredDuringSchedulingIgnoredDuringExecution: 773 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. 774 type: array 775 items: 776 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 777 type: object 778 required: 779 - podAffinityTerm 780 - weight 781 properties: 782 podAffinityTerm: 783 description: Required. A pod affinity term, associated with the corresponding weight. 784 type: object 785 required: 786 - topologyKey 787 properties: 788 labelSelector: 789 description: A label query over a set of resources, in this case pods. 790 type: object 791 properties: 792 matchExpressions: 793 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 794 type: array 795 items: 796 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 797 type: object 798 required: 799 - key 800 - operator 801 properties: 802 key: 803 description: key is the label key that the selector applies to. 804 type: string 805 operator: 806 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 807 type: string 808 values: 809 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 810 type: array 811 items: 812 type: string 813 matchLabels: 814 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 815 type: object 816 additionalProperties: 817 type: string 818 namespaceSelector: 819 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. 820 type: object 821 properties: 822 matchExpressions: 823 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 824 type: array 825 items: 826 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 827 type: object 828 required: 829 - key 830 - operator 831 properties: 832 key: 833 description: key is the label key that the selector applies to. 834 type: string 835 operator: 836 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 837 type: string 838 values: 839 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 840 type: array 841 items: 842 type: string 843 matchLabels: 844 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 845 type: object 846 additionalProperties: 847 type: string 848 namespaces: 849 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" 850 type: array 851 items: 852 type: string 853 topologyKey: 854 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 855 type: string 856 weight: 857 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. 858 type: integer 859 format: int32 860 requiredDuringSchedulingIgnoredDuringExecution: 861 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. 862 type: array 863 items: 864 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running 865 type: object 866 required: 867 - topologyKey 868 properties: 869 labelSelector: 870 description: A label query over a set of resources, in this case pods. 871 type: object 872 properties: 873 matchExpressions: 874 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 875 type: array 876 items: 877 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 878 type: object 879 required: 880 - key 881 - operator 882 properties: 883 key: 884 description: key is the label key that the selector applies to. 885 type: string 886 operator: 887 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 888 type: string 889 values: 890 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 891 type: array 892 items: 893 type: string 894 matchLabels: 895 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 896 type: object 897 additionalProperties: 898 type: string 899 namespaceSelector: 900 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. 901 type: object 902 properties: 903 matchExpressions: 904 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 905 type: array 906 items: 907 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 908 type: object 909 required: 910 - key 911 - operator 912 properties: 913 key: 914 description: key is the label key that the selector applies to. 915 type: string 916 operator: 917 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 918 type: string 919 values: 920 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 921 type: array 922 items: 923 type: string 924 matchLabels: 925 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 926 type: object 927 additionalProperties: 928 type: string 929 namespaces: 930 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" 931 type: array 932 items: 933 type: string 934 topologyKey: 935 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 936 type: string 937 nodeSelector: 938 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' 939 type: object 940 additionalProperties: 941 type: string 942 priorityClassName: 943 description: If specified, the pod's priorityClassName. 944 type: string 945 serviceAccountName: 946 description: If specified, the pod's service account 947 type: string 948 tolerations: 949 description: If specified, the pod's tolerations. 950 type: array 951 items: 952 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>. 953 type: object 954 properties: 955 effect: 956 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. 957 type: string 958 key: 959 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. 960 type: string 961 operator: 962 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. 963 type: string 964 tolerationSeconds: 965 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. 966 type: integer 967 format: int64 968 value: 969 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. 970 type: string 971 serviceType: 972 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. 973 type: string 974 selector: 975 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. 976 type: object 977 properties: 978 dnsNames: 979 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. 980 type: array 981 items: 982 type: string 983 dnsZones: 984 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. 985 type: array 986 items: 987 type: string 988 matchLabels: 989 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. 990 type: object 991 additionalProperties: 992 type: string 993 token: 994 description: The ACME challenge token for this challenge. This is the raw value returned from the ACME server. 995 type: string 996 type: 997 description: The type of ACME challenge this resource represents. One of "HTTP-01" or "DNS-01". 998 type: string 999 enum: 1000 - HTTP-01 1001 - DNS-01 1002 url: 1003 description: The URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge. 1004 type: string 1005 wildcard: 1006 description: wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'. 1007 type: boolean 1008 status: 1009 type: object 1010 properties: 1011 presented: 1012 description: presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured). 1013 type: boolean 1014 processing: 1015 description: Used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action. 1016 type: boolean 1017 reason: 1018 description: Contains human readable information on why the Challenge is in the current state. 1019 type: string 1020 state: 1021 description: Contains the current 'state' of the challenge. If not set, the state of the challenge is unknown. 1022 type: string 1023 enum: 1024 - valid 1025 - ready 1026 - pending 1027 - processing 1028 - invalid 1029 - expired 1030 - errored 1031 served: true 1032 storage: true 1033 subresources: 1034 status: {} 1035