github.com/wmuizelaar/kpt@v0.0.0-20221018115725-bd564717b2ed/package-examples/cert-manager-basic/crds/customresourcedefinition-issuers-cert-manager-io.yaml (about) 1 # Source: cert-manager/templates/crd-templates.yaml 2 apiVersion: apiextensions.k8s.io/v1 3 kind: CustomResourceDefinition 4 metadata: 5 name: issuers.cert-manager.io 6 annotations: 7 cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca' 8 labels: 9 app: 'cert-manager' 10 app.kubernetes.io/name: 'cert-manager' 11 app.kubernetes.io/instance: 'cert-manager' 12 # Generated labels 13 app.kubernetes.io/version: "v1.8.2" 14 spec: 15 group: cert-manager.io 16 names: 17 kind: Issuer 18 listKind: IssuerList 19 plural: issuers 20 singular: issuer 21 categories: 22 - cert-manager 23 scope: Namespaced 24 versions: 25 - name: v1 26 subresources: 27 status: {} 28 additionalPrinterColumns: 29 - jsonPath: .status.conditions[?(@.type=="Ready")].status 30 name: Ready 31 type: string 32 - jsonPath: .status.conditions[?(@.type=="Ready")].message 33 name: Status 34 priority: 1 35 type: string 36 - jsonPath: .metadata.creationTimestamp 37 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 38 name: Age 39 type: date 40 schema: 41 openAPIV3Schema: 42 description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace. 43 type: object 44 required: 45 - spec 46 properties: 47 apiVersion: 48 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 49 type: string 50 kind: 51 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 52 type: string 53 metadata: 54 type: object 55 spec: 56 description: Desired state of the Issuer resource. 57 type: object 58 properties: 59 acme: 60 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates. 61 type: object 62 required: 63 - privateKeySecretRef 64 - server 65 properties: 66 disableAccountKeyGeneration: 67 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false. 68 type: boolean 69 email: 70 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. 71 type: string 72 enableDurationFeature: 73 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. 74 type: boolean 75 externalAccountBinding: 76 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. 77 type: object 78 required: 79 - keyID 80 - keySecretRef 81 properties: 82 keyAlgorithm: 83 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.' 84 type: string 85 enum: 86 - HS256 87 - HS384 88 - HS512 89 keyID: 90 description: keyID is the ID of the CA key that the External Account is bound to. 91 type: string 92 keySecretRef: 93 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data. 94 type: object 95 required: 96 - name 97 properties: 98 key: 99 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 100 type: string 101 name: 102 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 103 type: string 104 preferredChain: 105 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN' 106 type: string 107 maxLength: 64 108 privateKeySecretRef: 109 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used. 110 type: object 111 required: 112 - name 113 properties: 114 key: 115 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 116 type: string 117 name: 118 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 119 type: string 120 server: 121 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' 122 type: string 123 skipTLSVerify: 124 description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false. 125 type: boolean 126 solvers: 127 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' 128 type: array 129 items: 130 description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided. 131 type: object 132 properties: 133 dns01: 134 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. 135 type: object 136 properties: 137 acmeDNS: 138 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. 139 type: object 140 required: 141 - accountSecretRef 142 - host 143 properties: 144 accountSecretRef: 145 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 146 type: object 147 required: 148 - name 149 properties: 150 key: 151 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 152 type: string 153 name: 154 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 155 type: string 156 host: 157 type: string 158 akamai: 159 description: Use the Akamai DNS zone management API to manage DNS01 challenge records. 160 type: object 161 required: 162 - accessTokenSecretRef 163 - clientSecretSecretRef 164 - clientTokenSecretRef 165 - serviceConsumerDomain 166 properties: 167 accessTokenSecretRef: 168 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 169 type: object 170 required: 171 - name 172 properties: 173 key: 174 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 175 type: string 176 name: 177 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 178 type: string 179 clientSecretSecretRef: 180 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 181 type: object 182 required: 183 - name 184 properties: 185 key: 186 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 187 type: string 188 name: 189 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 190 type: string 191 clientTokenSecretRef: 192 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 193 type: object 194 required: 195 - name 196 properties: 197 key: 198 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 199 type: string 200 name: 201 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 202 type: string 203 serviceConsumerDomain: 204 type: string 205 azureDNS: 206 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. 207 type: object 208 required: 209 - resourceGroupName 210 - subscriptionID 211 properties: 212 clientID: 213 description: if both this and ClientSecret are left unset MSI will be used 214 type: string 215 clientSecretSecretRef: 216 description: if both this and ClientID are left unset MSI will be used 217 type: object 218 required: 219 - name 220 properties: 221 key: 222 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 223 type: string 224 name: 225 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 226 type: string 227 environment: 228 description: name of the Azure environment (default AzurePublicCloud) 229 type: string 230 enum: 231 - AzurePublicCloud 232 - AzureChinaCloud 233 - AzureGermanCloud 234 - AzureUSGovernmentCloud 235 hostedZoneName: 236 description: name of the DNS zone that should be used 237 type: string 238 managedIdentity: 239 description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID 240 type: object 241 properties: 242 clientID: 243 description: client ID of the managed identity, can not be used at the same time as resourceID 244 type: string 245 resourceID: 246 description: resource ID of the managed identity, can not be used at the same time as clientID 247 type: string 248 resourceGroupName: 249 description: resource group the DNS zone is located in 250 type: string 251 subscriptionID: 252 description: ID of the Azure subscription 253 type: string 254 tenantID: 255 description: when specifying ClientID and ClientSecret then this field is also needed 256 type: string 257 cloudDNS: 258 description: Use the Google Cloud DNS API to manage DNS01 challenge records. 259 type: object 260 required: 261 - project 262 properties: 263 hostedZoneName: 264 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. 265 type: string 266 project: 267 type: string 268 serviceAccountSecretRef: 269 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 270 type: object 271 required: 272 - name 273 properties: 274 key: 275 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 276 type: string 277 name: 278 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 279 type: string 280 cloudflare: 281 description: Use the Cloudflare API to manage DNS01 challenge records. 282 type: object 283 properties: 284 apiKeySecretRef: 285 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' 286 type: object 287 required: 288 - name 289 properties: 290 key: 291 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 292 type: string 293 name: 294 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 295 type: string 296 apiTokenSecretRef: 297 description: API token used to authenticate with Cloudflare. 298 type: object 299 required: 300 - name 301 properties: 302 key: 303 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 304 type: string 305 name: 306 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 307 type: string 308 email: 309 description: Email of the account, only required when using API key based authentication. 310 type: string 311 cnameStrategy: 312 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. 313 type: string 314 enum: 315 - None 316 - Follow 317 digitalocean: 318 description: Use the DigitalOcean DNS API to manage DNS01 challenge records. 319 type: object 320 required: 321 - tokenSecretRef 322 properties: 323 tokenSecretRef: 324 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. 325 type: object 326 required: 327 - name 328 properties: 329 key: 330 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 331 type: string 332 name: 333 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 334 type: string 335 rfc2136: 336 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. 337 type: object 338 required: 339 - nameserver 340 properties: 341 nameserver: 342 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required. 343 type: string 344 tsigAlgorithm: 345 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' 346 type: string 347 tsigKeyName: 348 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. 349 type: string 350 tsigSecretSecretRef: 351 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. 352 type: object 353 required: 354 - name 355 properties: 356 key: 357 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 358 type: string 359 name: 360 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 361 type: string 362 route53: 363 description: Use the AWS Route53 API to manage DNS01 challenge records. 364 type: object 365 required: 366 - region 367 properties: 368 accessKeyID: 369 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' 370 type: string 371 hostedZoneID: 372 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. 373 type: string 374 region: 375 description: Always set the region when using AccessKeyID and SecretAccessKey 376 type: string 377 role: 378 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata 379 type: string 380 secretAccessKeySecretRef: 381 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials 382 type: object 383 required: 384 - name 385 properties: 386 key: 387 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 388 type: string 389 name: 390 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 391 type: string 392 webhook: 393 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. 394 type: object 395 required: 396 - groupName 397 - solverName 398 properties: 399 config: 400 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. 401 x-kubernetes-preserve-unknown-fields: true 402 groupName: 403 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. 404 type: string 405 solverName: 406 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. 407 type: string 408 http01: 409 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. 410 type: object 411 properties: 412 gatewayHTTPRoute: 413 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. 414 type: object 415 properties: 416 labels: 417 description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges. 418 type: object 419 additionalProperties: 420 type: string 421 parentRefs: 422 description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways' 423 type: array 424 items: 425 description: "ParentRef identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object." 426 type: object 427 required: 428 - name 429 properties: 430 group: 431 description: "Group is the group of the referent. \n Support: Core" 432 type: string 433 default: gateway.networking.k8s.io 434 maxLength: 253 435 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 436 kind: 437 description: "Kind is kind of the referent. \n Support: Core (Gateway) Support: Custom (Other Resources)" 438 type: string 439 default: Gateway 440 maxLength: 63 441 minLength: 1 442 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 443 name: 444 description: "Name is the name of the referent. \n Support: Core" 445 type: string 446 maxLength: 253 447 minLength: 1 448 namespace: 449 description: "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core" 450 type: string 451 maxLength: 63 452 minLength: 1 453 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 454 sectionName: 455 description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" 456 type: string 457 maxLength: 253 458 minLength: 1 459 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 460 serviceType: 461 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. 462 type: string 463 ingress: 464 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. 465 type: object 466 properties: 467 class: 468 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified. 469 type: string 470 ingressTemplate: 471 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. 472 type: object 473 properties: 474 metadata: 475 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. 476 type: object 477 properties: 478 annotations: 479 description: Annotations that should be added to the created ACME HTTP01 solver ingress. 480 type: object 481 additionalProperties: 482 type: string 483 labels: 484 description: Labels that should be added to the created ACME HTTP01 solver ingress. 485 type: object 486 additionalProperties: 487 type: string 488 name: 489 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. 490 type: string 491 podTemplate: 492 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. 493 type: object 494 properties: 495 metadata: 496 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. 497 type: object 498 properties: 499 annotations: 500 description: Annotations that should be added to the create ACME HTTP01 solver pods. 501 type: object 502 additionalProperties: 503 type: string 504 labels: 505 description: Labels that should be added to the created ACME HTTP01 solver pods. 506 type: object 507 additionalProperties: 508 type: string 509 spec: 510 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored. 511 type: object 512 properties: 513 affinity: 514 description: If specified, the pod's scheduling constraints 515 type: object 516 properties: 517 nodeAffinity: 518 description: Describes node affinity scheduling rules for the pod. 519 type: object 520 properties: 521 preferredDuringSchedulingIgnoredDuringExecution: 522 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. 523 type: array 524 items: 525 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). 526 type: object 527 required: 528 - preference 529 - weight 530 properties: 531 preference: 532 description: A node selector term, associated with the corresponding weight. 533 type: object 534 properties: 535 matchExpressions: 536 description: A list of node selector requirements by node's labels. 537 type: array 538 items: 539 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 540 type: object 541 required: 542 - key 543 - operator 544 properties: 545 key: 546 description: The label key that the selector applies to. 547 type: string 548 operator: 549 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 550 type: string 551 values: 552 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 553 type: array 554 items: 555 type: string 556 matchFields: 557 description: A list of node selector requirements by node's fields. 558 type: array 559 items: 560 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 561 type: object 562 required: 563 - key 564 - operator 565 properties: 566 key: 567 description: The label key that the selector applies to. 568 type: string 569 operator: 570 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 571 type: string 572 values: 573 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 574 type: array 575 items: 576 type: string 577 weight: 578 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. 579 type: integer 580 format: int32 581 requiredDuringSchedulingIgnoredDuringExecution: 582 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. 583 type: object 584 required: 585 - nodeSelectorTerms 586 properties: 587 nodeSelectorTerms: 588 description: Required. A list of node selector terms. The terms are ORed. 589 type: array 590 items: 591 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. 592 type: object 593 properties: 594 matchExpressions: 595 description: A list of node selector requirements by node's labels. 596 type: array 597 items: 598 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 599 type: object 600 required: 601 - key 602 - operator 603 properties: 604 key: 605 description: The label key that the selector applies to. 606 type: string 607 operator: 608 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 609 type: string 610 values: 611 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 612 type: array 613 items: 614 type: string 615 matchFields: 616 description: A list of node selector requirements by node's fields. 617 type: array 618 items: 619 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 620 type: object 621 required: 622 - key 623 - operator 624 properties: 625 key: 626 description: The label key that the selector applies to. 627 type: string 628 operator: 629 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 630 type: string 631 values: 632 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. 633 type: array 634 items: 635 type: string 636 podAffinity: 637 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). 638 type: object 639 properties: 640 preferredDuringSchedulingIgnoredDuringExecution: 641 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. 642 type: array 643 items: 644 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 645 type: object 646 required: 647 - podAffinityTerm 648 - weight 649 properties: 650 podAffinityTerm: 651 description: Required. A pod affinity term, associated with the corresponding weight. 652 type: object 653 required: 654 - topologyKey 655 properties: 656 labelSelector: 657 description: A label query over a set of resources, in this case pods. 658 type: object 659 properties: 660 matchExpressions: 661 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 662 type: array 663 items: 664 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 665 type: object 666 required: 667 - key 668 - operator 669 properties: 670 key: 671 description: key is the label key that the selector applies to. 672 type: string 673 operator: 674 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 675 type: string 676 values: 677 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 678 type: array 679 items: 680 type: string 681 matchLabels: 682 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 683 type: object 684 additionalProperties: 685 type: string 686 namespaceSelector: 687 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. 688 type: object 689 properties: 690 matchExpressions: 691 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 692 type: array 693 items: 694 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 695 type: object 696 required: 697 - key 698 - operator 699 properties: 700 key: 701 description: key is the label key that the selector applies to. 702 type: string 703 operator: 704 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 705 type: string 706 values: 707 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 708 type: array 709 items: 710 type: string 711 matchLabels: 712 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 713 type: object 714 additionalProperties: 715 type: string 716 namespaces: 717 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" 718 type: array 719 items: 720 type: string 721 topologyKey: 722 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 723 type: string 724 weight: 725 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. 726 type: integer 727 format: int32 728 requiredDuringSchedulingIgnoredDuringExecution: 729 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. 730 type: array 731 items: 732 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running 733 type: object 734 required: 735 - topologyKey 736 properties: 737 labelSelector: 738 description: A label query over a set of resources, in this case pods. 739 type: object 740 properties: 741 matchExpressions: 742 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 743 type: array 744 items: 745 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 746 type: object 747 required: 748 - key 749 - operator 750 properties: 751 key: 752 description: key is the label key that the selector applies to. 753 type: string 754 operator: 755 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 756 type: string 757 values: 758 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 759 type: array 760 items: 761 type: string 762 matchLabels: 763 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 764 type: object 765 additionalProperties: 766 type: string 767 namespaceSelector: 768 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. 769 type: object 770 properties: 771 matchExpressions: 772 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 773 type: array 774 items: 775 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 776 type: object 777 required: 778 - key 779 - operator 780 properties: 781 key: 782 description: key is the label key that the selector applies to. 783 type: string 784 operator: 785 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 786 type: string 787 values: 788 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 789 type: array 790 items: 791 type: string 792 matchLabels: 793 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 794 type: object 795 additionalProperties: 796 type: string 797 namespaces: 798 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" 799 type: array 800 items: 801 type: string 802 topologyKey: 803 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 804 type: string 805 podAntiAffinity: 806 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). 807 type: object 808 properties: 809 preferredDuringSchedulingIgnoredDuringExecution: 810 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. 811 type: array 812 items: 813 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 814 type: object 815 required: 816 - podAffinityTerm 817 - weight 818 properties: 819 podAffinityTerm: 820 description: Required. A pod affinity term, associated with the corresponding weight. 821 type: object 822 required: 823 - topologyKey 824 properties: 825 labelSelector: 826 description: A label query over a set of resources, in this case pods. 827 type: object 828 properties: 829 matchExpressions: 830 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 831 type: array 832 items: 833 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 834 type: object 835 required: 836 - key 837 - operator 838 properties: 839 key: 840 description: key is the label key that the selector applies to. 841 type: string 842 operator: 843 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 844 type: string 845 values: 846 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 847 type: array 848 items: 849 type: string 850 matchLabels: 851 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 852 type: object 853 additionalProperties: 854 type: string 855 namespaceSelector: 856 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. 857 type: object 858 properties: 859 matchExpressions: 860 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 861 type: array 862 items: 863 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 864 type: object 865 required: 866 - key 867 - operator 868 properties: 869 key: 870 description: key is the label key that the selector applies to. 871 type: string 872 operator: 873 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 874 type: string 875 values: 876 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 877 type: array 878 items: 879 type: string 880 matchLabels: 881 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 882 type: object 883 additionalProperties: 884 type: string 885 namespaces: 886 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" 887 type: array 888 items: 889 type: string 890 topologyKey: 891 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 892 type: string 893 weight: 894 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. 895 type: integer 896 format: int32 897 requiredDuringSchedulingIgnoredDuringExecution: 898 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. 899 type: array 900 items: 901 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running 902 type: object 903 required: 904 - topologyKey 905 properties: 906 labelSelector: 907 description: A label query over a set of resources, in this case pods. 908 type: object 909 properties: 910 matchExpressions: 911 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 912 type: array 913 items: 914 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 915 type: object 916 required: 917 - key 918 - operator 919 properties: 920 key: 921 description: key is the label key that the selector applies to. 922 type: string 923 operator: 924 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 925 type: string 926 values: 927 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 928 type: array 929 items: 930 type: string 931 matchLabels: 932 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 933 type: object 934 additionalProperties: 935 type: string 936 namespaceSelector: 937 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. 938 type: object 939 properties: 940 matchExpressions: 941 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 942 type: array 943 items: 944 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. 945 type: object 946 required: 947 - key 948 - operator 949 properties: 950 key: 951 description: key is the label key that the selector applies to. 952 type: string 953 operator: 954 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. 955 type: string 956 values: 957 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. 958 type: array 959 items: 960 type: string 961 matchLabels: 962 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. 963 type: object 964 additionalProperties: 965 type: string 966 namespaces: 967 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" 968 type: array 969 items: 970 type: string 971 topologyKey: 972 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. 973 type: string 974 nodeSelector: 975 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' 976 type: object 977 additionalProperties: 978 type: string 979 priorityClassName: 980 description: If specified, the pod's priorityClassName. 981 type: string 982 serviceAccountName: 983 description: If specified, the pod's service account 984 type: string 985 tolerations: 986 description: If specified, the pod's tolerations. 987 type: array 988 items: 989 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>. 990 type: object 991 properties: 992 effect: 993 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. 994 type: string 995 key: 996 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. 997 type: string 998 operator: 999 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. 1000 type: string 1001 tolerationSeconds: 1002 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. 1003 type: integer 1004 format: int64 1005 value: 1006 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. 1007 type: string 1008 serviceType: 1009 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. 1010 type: string 1011 selector: 1012 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. 1013 type: object 1014 properties: 1015 dnsNames: 1016 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. 1017 type: array 1018 items: 1019 type: string 1020 dnsZones: 1021 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. 1022 type: array 1023 items: 1024 type: string 1025 matchLabels: 1026 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. 1027 type: object 1028 additionalProperties: 1029 type: string 1030 ca: 1031 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager. 1032 type: object 1033 required: 1034 - secretName 1035 properties: 1036 crlDistributionPoints: 1037 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set. 1038 type: array 1039 items: 1040 type: string 1041 ocspServers: 1042 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". 1043 type: array 1044 items: 1045 type: string 1046 secretName: 1047 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer. 1048 type: string 1049 selfSigned: 1050 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object. 1051 type: object 1052 properties: 1053 crlDistributionPoints: 1054 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings. 1055 type: array 1056 items: 1057 type: string 1058 vault: 1059 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend. 1060 type: object 1061 required: 1062 - auth 1063 - path 1064 - server 1065 properties: 1066 auth: 1067 description: Auth configures how cert-manager authenticates with the Vault server. 1068 type: object 1069 properties: 1070 appRole: 1071 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. 1072 type: object 1073 required: 1074 - path 1075 - roleId 1076 - secretRef 1077 properties: 1078 path: 1079 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' 1080 type: string 1081 roleId: 1082 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. 1083 type: string 1084 secretRef: 1085 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. 1086 type: object 1087 required: 1088 - name 1089 properties: 1090 key: 1091 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1092 type: string 1093 name: 1094 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1095 type: string 1096 kubernetes: 1097 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. 1098 type: object 1099 required: 1100 - role 1101 - secretRef 1102 properties: 1103 mountPath: 1104 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used. 1105 type: string 1106 role: 1107 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. 1108 type: string 1109 secretRef: 1110 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported. 1111 type: object 1112 required: 1113 - name 1114 properties: 1115 key: 1116 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1117 type: string 1118 name: 1119 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1120 type: string 1121 tokenSecretRef: 1122 description: TokenSecretRef authenticates with Vault by presenting a token. 1123 type: object 1124 required: 1125 - name 1126 properties: 1127 key: 1128 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1129 type: string 1130 name: 1131 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1132 type: string 1133 caBundle: 1134 description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. 1135 type: string 1136 format: byte 1137 namespace: 1138 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' 1139 type: string 1140 path: 1141 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' 1142 type: string 1143 server: 1144 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' 1145 type: string 1146 venafi: 1147 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone. 1148 type: object 1149 required: 1150 - zone 1151 properties: 1152 cloud: 1153 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified. 1154 type: object 1155 required: 1156 - apiTokenSecretRef 1157 properties: 1158 apiTokenSecretRef: 1159 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. 1160 type: object 1161 required: 1162 - name 1163 properties: 1164 key: 1165 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. 1166 type: string 1167 name: 1168 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1169 type: string 1170 url: 1171 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1". 1172 type: string 1173 tpp: 1174 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified. 1175 type: object 1176 required: 1177 - credentialsRef 1178 - url 1179 properties: 1180 caBundle: 1181 description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates. 1182 type: string 1183 format: byte 1184 credentialsRef: 1185 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'. 1186 type: object 1187 required: 1188 - name 1189 properties: 1190 name: 1191 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' 1192 type: string 1193 url: 1194 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' 1195 type: string 1196 zone: 1197 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required. 1198 type: string 1199 status: 1200 description: Status of the Issuer. This is set and managed automatically. 1201 type: object 1202 properties: 1203 acme: 1204 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates. 1205 type: object 1206 properties: 1207 lastRegisteredEmail: 1208 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer 1209 type: string 1210 uri: 1211 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA 1212 type: string 1213 conditions: 1214 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`. 1215 type: array 1216 items: 1217 description: IssuerCondition contains condition information for an Issuer. 1218 type: object 1219 required: 1220 - status 1221 - type 1222 properties: 1223 lastTransitionTime: 1224 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. 1225 type: string 1226 format: date-time 1227 message: 1228 description: Message is a human readable description of the details of the last transition, complementing reason. 1229 type: string 1230 observedGeneration: 1231 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer. 1232 type: integer 1233 format: int64 1234 reason: 1235 description: Reason is a brief machine readable explanation for the condition's last transition. 1236 type: string 1237 status: 1238 description: Status of the condition, one of (`True`, `False`, `Unknown`). 1239 type: string 1240 enum: 1241 - "True" 1242 - "False" 1243 - Unknown 1244 type: 1245 description: Type of the condition, known values are (`Ready`). 1246 type: string 1247 x-kubernetes-list-map-keys: 1248 - type 1249 x-kubernetes-list-type: map 1250 served: true 1251 storage: true 1252