Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / 0048a78304b7ea4bbd14230c87d6132825bee8ec / . / charts / cert-manager / templates / crds.yaml
blob: 820698742688942b40b58db0a66b145c68b51f73 [file] [log] [blame]
Giorgi Lekveishvilid1234c12023-06-19 10:37:06 +0400[diff] [blame]1{{- if .Values.installCRDs }}
2apiVersion: apiextensions.k8s.io/v1
3kind: CustomResourceDefinition
4metadata:
Giorgi Lekveishvili0048a782023-06-20 18:32:21 +0400[diff] [blame^]5 name: certificaterequests.cert-manager.io
Giorgi Lekveishvilid1234c12023-06-19 10:37:06 +0400[diff] [blame]6 labels:
7 app: '{{ template "cert-manager.name" . }}'
8 app.kubernetes.io/name: '{{ template "cert-manager.name" . }}'
9 app.kubernetes.io/instance: '{{ .Release.Name }}'
10 # Generated labels {{- include "labels" . | nindent 4 }}
11spec:
12 group: cert-manager.io
13 names:
Giorgi Lekveishvili0048a782023-06-20 18:32:21 +0400[diff] [blame^]14 kind: CertificateRequest
15 listKind: CertificateRequestList
16 plural: certificaterequests
17 shortNames:
18 - cr
19 - crs
20 singular: certificaterequest
21 categories:
22 - cert-manager
23 scope: Namespaced
24 versions:
25 - name: v1
26 subresources:
27 status: {}
28 additionalPrinterColumns:
29 - jsonPath: .status.conditions[?(@.type=="Approved")].status
30 name: Approved
31 type: string
32 - jsonPath: .status.conditions[?(@.type=="Denied")].status
33 name: Denied
34 type: string
35 - jsonPath: .status.conditions[?(@.type=="Ready")].status
36 name: Ready
37 type: string
38 - jsonPath: .spec.issuerRef.name
39 name: Issuer
40 type: string
41 - jsonPath: .spec.username
42 name: Requestor
43 type: string
44 - jsonPath: .status.conditions[?(@.type=="Ready")].message
45 name: Status
46 priority: 1
47 type: string
48 - jsonPath: .metadata.creationTimestamp
49 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
50 name: Age
51 type: date
52 schema:
53 openAPIV3Schema:
54 description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used."
55 type: object
56 required:
57 - spec
58 properties:
59 apiVersion:
60 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
61 type: string
62 kind:
63 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
64 type: string
65 metadata:
66 type: object
67 spec:
68 description: Desired state of the CertificateRequest resource.
69 type: object
70 required:
71 - issuerRef
72 - request
73 properties:
74 duration:
75 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types.
76 type: string
77 extra:
78 description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
79 type: object
80 additionalProperties:
81 type: array
82 items:
83 type: string
84 groups:
85 description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
86 type: array
87 items:
88 type: string
89 x-kubernetes-list-type: atomic
90 isCA:
91 description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`.
92 type: boolean
93 issuerRef:
94 description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty.
95 type: object
96 required:
97 - name
98 properties:
99 group:
100 description: Group of the resource being referred to.
101 type: string
102 kind:
103 description: Kind of the resource being referred to.
104 type: string
105 name:
106 description: Name of the resource being referred to.
107 type: string
108 request:
109 description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing.
110 type: string
111 format: byte
112 uid:
113 description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
114 type: string
115 usages:
116 description: Usages is the set of x509 usages that are requested for the certificate. If usages are set they SHOULD be encoded inside the CSR spec Defaults to `digital signature` and `key encipherment` if not specified.
117 type: array
118 items:
119 description: "KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 \n Valid KeyUsage values are as follows: \"signing\", \"digital signature\", \"content commitment\", \"key encipherment\", \"key agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", \"encipher only\", \"decipher only\", \"any\", \"server auth\", \"client auth\", \"code signing\", \"email protection\", \"s/mime\", \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\""
120 type: string
121 enum:
122 - signing
123 - digital signature
124 - content commitment
125 - key encipherment
126 - key agreement
127 - data encipherment
128 - cert sign
129 - crl sign
130 - encipher only
131 - decipher only
132 - any
133 - server auth
134 - client auth
135 - code signing
136 - email protection
137 - s/mime
138 - ipsec end system
139 - ipsec tunnel
140 - ipsec user
141 - timestamping
142 - ocsp signing
143 - microsoft sgc
144 - netscape sgc
145 username:
146 description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
147 type: string
148 status:
149 description: Status of the CertificateRequest. This is set and managed automatically.
150 type: object
151 properties:
152 ca:
153 description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.
154 type: string
155 format: byte
156 certificate:
157 description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.
158 type: string
159 format: byte
160 conditions:
161 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
162 type: array
163 items:
164 description: CertificateRequestCondition contains condition information for a CertificateRequest.
165 type: object
166 required:
167 - status
168 - type
169 properties:
170 lastTransitionTime:
171 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
172 type: string
173 format: date-time
174 message:
175 description: Message is a human readable description of the details of the last transition, complementing reason.
176 type: string
177 reason:
178 description: Reason is a brief machine readable explanation for the condition's last transition.
179 type: string
180 status:
181 description: Status of the condition, one of (`True`, `False`, `Unknown`).
182 type: string
183 enum:
184 - "True"
185 - "False"
186 - Unknown
187 type:
188 description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
189 type: string
190 x-kubernetes-list-map-keys:
191 - type
192 x-kubernetes-list-type: map
193 failureTime:
194 description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
195 type: string
196 format: date-time
197 served: true
198 storage: true
199---
200apiVersion: apiextensions.k8s.io/v1
201kind: CustomResourceDefinition
202metadata:
203 name: certificates.cert-manager.io
204 labels:
205 app: '{{ template "cert-manager.name" . }}'
206 app.kubernetes.io/name: '{{ template "cert-manager.name" . }}'
207 app.kubernetes.io/instance: '{{ .Release.Name }}'
208 # Generated labels {{- include "labels" . | nindent 4 }}
209spec:
210 group: cert-manager.io
211 names:
212 kind: Certificate
213 listKind: CertificateList
214 plural: certificates
215 shortNames:
216 - cert
217 - certs
218 singular: certificate
219 categories:
220 - cert-manager
221 scope: Namespaced
222 versions:
223 - name: v1
224 subresources:
225 status: {}
226 additionalPrinterColumns:
227 - jsonPath: .status.conditions[?(@.type=="Ready")].status
228 name: Ready
229 type: string
230 - jsonPath: .spec.secretName
231 name: Secret
232 type: string
233 - jsonPath: .spec.issuerRef.name
234 name: Issuer
235 priority: 1
236 type: string
237 - jsonPath: .status.conditions[?(@.type=="Ready")].message
238 name: Status
239 priority: 1
240 type: string
241 - jsonPath: .metadata.creationTimestamp
242 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
243 name: Age
244 type: date
245 schema:
246 openAPIV3Schema:
247 description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)."
248 type: object
249 required:
250 - spec
251 properties:
252 apiVersion:
253 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
254 type: string
255 kind:
256 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
257 type: string
258 metadata:
259 type: object
260 spec:
261 description: Desired state of the Certificate resource.
262 type: object
263 required:
264 - issuerRef
265 - secretName
266 properties:
267 additionalOutputFormats:
268 description: AdditionalOutputFormats defines extra output formats of the private key and signed certificate chain to be written to this Certificate's target Secret. This is an Alpha Feature and is only enabled with the `--feature-gates=AdditionalCertificateOutputFormats=true` option on both the controller and webhook components.
269 type: array
270 items:
271 description: CertificateAdditionalOutputFormat defines an additional output format of a Certificate resource. These contain supplementary data formats of the signed certificate chain and paired private key.
272 type: object
273 required:
274 - type
275 properties:
276 type:
277 description: Type is the name of the format type that should be written to the Certificate's target Secret.
278 type: string
279 enum:
280 - DER
281 - CombinedPEM
282 commonName:
283 description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
284 type: string
285 dnsNames:
286 description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate.
287 type: array
288 items:
289 type: string
290 duration:
291 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
292 type: string
293 emailAddresses:
294 description: EmailAddresses is a list of email subjectAltNames to be set on the Certificate.
295 type: array
296 items:
297 type: string
298 encodeUsagesInRequest:
299 description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest
300 type: boolean
301 ipAddresses:
302 description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
303 type: array
304 items:
305 type: string
306 isCA:
307 description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`.
308 type: boolean
309 issuerRef:
310 description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times.
311 type: object
312 required:
313 - name
314 properties:
315 group:
316 description: Group of the resource being referred to.
317 type: string
318 kind:
319 description: Kind of the resource being referred to.
320 type: string
321 name:
322 description: Name of the resource being referred to.
323 type: string
324 keystores:
325 description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource.
326 type: object
327 properties:
328 jks:
329 description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource.
330 type: object
331 required:
332 - create
333 - passwordSecretRef
334 properties:
335 create:
336 description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will be updated immediately. If the issuer provided a CA certificate, a file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority
337 type: boolean
338 passwordSecretRef:
339 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore.
340 type: object
341 required:
342 - name
343 properties:
344 key:
345 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
346 type: string
347 name:
348 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
349 type: string
350 pkcs12:
351 description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource.
352 type: object
353 required:
354 - create
355 - passwordSecretRef
356 properties:
357 create:
358 description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will be updated immediately. If the issuer provided a CA certificate, a file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority
359 type: boolean
360 passwordSecretRef:
361 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore.
362 type: object
363 required:
364 - name
365 properties:
366 key:
367 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
368 type: string
369 name:
370 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
371 type: string
372 literalSubject:
373 description: LiteralSubject is an LDAP formatted string that represents the [X.509 Subject field](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6). Use this *instead* of the Subject field if you need to ensure the correct ordering of the RDN sequence, such as when issuing certs for LDAP authentication. See https://github.com/cert-manager/cert-manager/issues/3203, https://github.com/cert-manager/cert-manager/issues/4424. This field is alpha level and is only supported by cert-manager installations where LiteralCertificateSubject feature gate is enabled on both cert-manager controller and webhook.
374 type: string
375 privateKey:
376 description: Options to control private keys used for the Certificate.
377 type: object
378 properties:
379 algorithm:
380 description: Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified and `size` is not provided, key size of 256 will be used for `ECDSA` key algorithm and key size of 2048 will be used for `RSA` key algorithm. key size is ignored when using the `Ed25519` key algorithm.
381 type: string
382 enum:
383 - RSA
384 - ECDSA
385 - Ed25519
386 encoding:
387 description: The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified.
388 type: string
389 enum:
390 - PKCS1
391 - PKCS8
392 rotationPolicy:
393 description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility.
394 type: string
395 enum:
396 - Never
397 - Always
398 size:
399 description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed.
400 type: integer
401 renewBefore:
402 description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
403 type: string
404 revisionHistoryLimit:
405 description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`.
406 type: integer
407 format: int32
408 secretName:
409 description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer.
410 type: string
411 secretTemplate:
412 description: SecretTemplate defines annotations and labels to be copied to the Certificate's Secret. Labels and annotations on the Secret will be changed as they appear on the SecretTemplate when added or removed. SecretTemplate annotations are added in conjunction with, and cannot overwrite, the base set of annotations cert-manager sets on the Certificate's Secret.
413 type: object
414 properties:
415 annotations:
416 description: Annotations is a key value map to be copied to the target Kubernetes Secret.
417 type: object
418 additionalProperties:
419 type: string
420 labels:
421 description: Labels is a key value map to be copied to the target Kubernetes Secret.
422 type: object
423 additionalProperties:
424 type: string
425 subject:
426 description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
427 type: object
428 properties:
429 countries:
430 description: Countries to be used on the Certificate.
431 type: array
432 items:
433 type: string
434 localities:
435 description: Cities to be used on the Certificate.
436 type: array
437 items:
438 type: string
439 organizationalUnits:
440 description: Organizational Units to be used on the Certificate.
441 type: array
442 items:
443 type: string
444 organizations:
445 description: Organizations to be used on the Certificate.
446 type: array
447 items:
448 type: string
449 postalCodes:
450 description: Postal codes to be used on the Certificate.
451 type: array
452 items:
453 type: string
454 provinces:
455 description: State/Provinces to be used on the Certificate.
456 type: array
457 items:
458 type: string
459 serialNumber:
460 description: Serial number to be used on the Certificate.
461 type: string
462 streetAddresses:
463 description: Street addresses to be used on the Certificate.
464 type: array
465 items:
466 type: string
467 uris:
468 description: URIs is a list of URI subjectAltNames to be set on the Certificate.
469 type: array
470 items:
471 type: string
472 usages:
473 description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
474 type: array
475 items:
476 description: "KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 \n Valid KeyUsage values are as follows: \"signing\", \"digital signature\", \"content commitment\", \"key encipherment\", \"key agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", \"encipher only\", \"decipher only\", \"any\", \"server auth\", \"client auth\", \"code signing\", \"email protection\", \"s/mime\", \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\""
477 type: string
478 enum:
479 - signing
480 - digital signature
481 - content commitment
482 - key encipherment
483 - key agreement
484 - data encipherment
485 - cert sign
486 - crl sign
487 - encipher only
488 - decipher only
489 - any
490 - server auth
491 - client auth
492 - code signing
493 - email protection
494 - s/mime
495 - ipsec end system
496 - ipsec tunnel
497 - ipsec user
498 - timestamping
499 - ocsp signing
500 - microsoft sgc
501 - netscape sgc
502 status:
503 description: Status of the Certificate. This is set and managed automatically.
504 type: object
505 properties:
506 conditions:
507 description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`.
508 type: array
509 items:
510 description: CertificateCondition contains condition information for an Certificate.
511 type: object
512 required:
513 - status
514 - type
515 properties:
516 lastTransitionTime:
517 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
518 type: string
519 format: date-time
520 message:
521 description: Message is a human readable description of the details of the last transition, complementing reason.
522 type: string
523 observedGeneration:
524 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate.
525 type: integer
526 format: int64
527 reason:
528 description: Reason is a brief machine readable explanation for the condition's last transition.
529 type: string
530 status:
531 description: Status of the condition, one of (`True`, `False`, `Unknown`).
532 type: string
533 enum:
534 - "True"
535 - "False"
536 - Unknown
537 type:
538 description: Type of the condition, known values are (`Ready`, `Issuing`).
539 type: string
540 x-kubernetes-list-map-keys:
541 - type
542 x-kubernetes-list-type: map
543 failedIssuanceAttempts:
544 description: The number of continuous failed issuance attempts up till now. This field gets removed (if set) on a successful issuance and gets set to 1 if unset and an issuance has failed. If an issuance has failed, the delay till the next issuance will be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1).
545 type: integer
546 lastFailureTime:
547 description: LastFailureTime is set only if the lastest issuance for this Certificate failed and contains the time of the failure. If an issuance has failed, the delay till the next issuance will be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1). If the latest issuance has succeeded this field will be unset.
548 type: string
549 format: date-time
550 nextPrivateKeySecretName:
551 description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False.
552 type: string
553 notAfter:
554 description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`.
555 type: string
556 format: date-time
557 notBefore:
558 description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid.
559 type: string
560 format: date-time
561 renewalTime:
562 description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled.
563 type: string
564 format: date-time
565 revision:
566 description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field."
567 type: integer
568 served: true
569 storage: true
570---
571apiVersion: apiextensions.k8s.io/v1
572kind: CustomResourceDefinition
573metadata:
574 name: challenges.acme.cert-manager.io
575 labels:
576 app: '{{ template "cert-manager.name" . }}'
577 app.kubernetes.io/name: '{{ template "cert-manager.name" . }}'
578 app.kubernetes.io/instance: '{{ .Release.Name }}'
579 # Generated labels {{- include "labels" . | nindent 4 }}
580spec:
581 group: acme.cert-manager.io
582 names:
583 kind: Challenge
584 listKind: ChallengeList
585 plural: challenges
586 singular: challenge
587 categories:
588 - cert-manager
589 - cert-manager-acme
590 scope: Namespaced
591 versions:
592 - additionalPrinterColumns:
593 - jsonPath: .status.state
594 name: State
595 type: string
596 - jsonPath: .spec.dnsName
597 name: Domain
598 type: string
599 - jsonPath: .status.reason
600 name: Reason
601 priority: 1
602 type: string
603 - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
604 jsonPath: .metadata.creationTimestamp
605 name: Age
606 type: date
607 name: v1
608 schema:
609 openAPIV3Schema:
610 description: Challenge is a type to represent a Challenge request with an ACME server
611 type: object
612 required:
613 - metadata
614 - spec
615 properties:
616 apiVersion:
617 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
618 type: string
619 kind:
620 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
621 type: string
622 metadata:
623 type: object
624 spec:
625 type: object
626 required:
627 - authorizationURL
628 - dnsName
629 - issuerRef
630 - key
631 - solver
632 - token
633 - type
634 - url
635 properties:
636 authorizationURL:
637 description: The URL to the ACME Authorization resource that this challenge is a part of.
638 type: string
639 dnsName:
640 description: dnsName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
641 type: string
642 issuerRef:
643 description: References a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed.
644 type: object
645 required:
646 - name
647 properties:
648 group:
649 description: Group of the resource being referred to.
650 type: string
651 kind:
652 description: Kind of the resource being referred to.
653 type: string
654 name:
655 description: Name of the resource being referred to.
656 type: string
657 key:
658 description: 'The ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key from acme server for challenge>`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key from acme server for challenge>` text that must be set as the TXT record content.'
659 type: string
660 solver:
661 description: Contains the domain solving configuration that should be used to solve this challenge resource.
662 type: object
663 properties:
664 dns01:
665 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
666 type: object
667 properties:
668 acmeDNS:
669 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
670 type: object
671 required:
672 - accountSecretRef
673 - host
674 properties:
675 accountSecretRef:
676 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
677 type: object
678 required:
679 - name
680 properties:
681 key:
682 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
683 type: string
684 name:
685 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
686 type: string
687 host:
688 type: string
689 akamai:
690 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
691 type: object
692 required:
693 - accessTokenSecretRef
694 - clientSecretSecretRef
695 - clientTokenSecretRef
696 - serviceConsumerDomain
697 properties:
698 accessTokenSecretRef:
699 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
700 type: object
701 required:
702 - name
703 properties:
704 key:
705 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
706 type: string
707 name:
708 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
709 type: string
710 clientSecretSecretRef:
711 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
712 type: object
713 required:
714 - name
715 properties:
716 key:
717 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
718 type: string
719 name:
720 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
721 type: string
722 clientTokenSecretRef:
723 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
724 type: object
725 required:
726 - name
727 properties:
728 key:
729 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
730 type: string
731 name:
732 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
733 type: string
734 serviceConsumerDomain:
735 type: string
736 azureDNS:
737 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
738 type: object
739 required:
740 - resourceGroupName
741 - subscriptionID
742 properties:
743 clientID:
744 description: if both this and ClientSecret are left unset MSI will be used
745 type: string
746 clientSecretSecretRef:
747 description: if both this and ClientID are left unset MSI will be used
748 type: object
749 required:
750 - name
751 properties:
752 key:
753 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
754 type: string
755 name:
756 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
757 type: string
758 environment:
759 description: name of the Azure environment (default AzurePublicCloud)
760 type: string
761 enum:
762 - AzurePublicCloud
763 - AzureChinaCloud
764 - AzureGermanCloud
765 - AzureUSGovernmentCloud
766 hostedZoneName:
767 description: name of the DNS zone that should be used
768 type: string
769 managedIdentity:
770 description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID
771 type: object
772 properties:
773 clientID:
774 description: client ID of the managed identity, can not be used at the same time as resourceID
775 type: string
776 resourceID:
777 description: resource ID of the managed identity, can not be used at the same time as clientID
778 type: string
779 resourceGroupName:
780 description: resource group the DNS zone is located in
781 type: string
782 subscriptionID:
783 description: ID of the Azure subscription
784 type: string
785 tenantID:
786 description: when specifying ClientID and ClientSecret then this field is also needed
787 type: string
788 cloudDNS:
789 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
790 type: object
791 required:
792 - project
793 properties:
794 hostedZoneName:
795 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
796 type: string
797 project:
798 type: string
799 serviceAccountSecretRef:
800 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
801 type: object
802 required:
803 - name
804 properties:
805 key:
806 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
807 type: string
808 name:
809 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
810 type: string
811 cloudflare:
812 description: Use the Cloudflare API to manage DNS01 challenge records.
813 type: object
814 properties:
815 apiKeySecretRef:
816 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
817 type: object
818 required:
819 - name
820 properties:
821 key:
822 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
823 type: string
824 name:
825 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
826 type: string
827 apiTokenSecretRef:
828 description: API token used to authenticate with Cloudflare.
829 type: object
830 required:
831 - name
832 properties:
833 key:
834 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
835 type: string
836 name:
837 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
838 type: string
839 email:
840 description: Email of the account, only required when using API key based authentication.
841 type: string
842 cnameStrategy:
843 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
844 type: string
845 enum:
846 - None
847 - Follow
848 digitalocean:
849 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
850 type: object
851 required:
852 - tokenSecretRef
853 properties:
854 tokenSecretRef:
855 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
856 type: object
857 required:
858 - name
859 properties:
860 key:
861 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
862 type: string
863 name:
864 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
865 type: string
866 rfc2136:
867 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
868 type: object
869 required:
870 - nameserver
871 properties:
872 nameserver:
873 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
874 type: string
875 tsigAlgorithm:
876 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
877 type: string
878 tsigKeyName:
879 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
880 type: string
881 tsigSecretSecretRef:
882 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
883 type: object
884 required:
885 - name
886 properties:
887 key:
888 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
889 type: string
890 name:
891 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
892 type: string
893 route53:
894 description: Use the AWS Route53 API to manage DNS01 challenge records.
895 type: object
896 required:
897 - region
898 properties:
899 accessKeyID:
900 description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
901 type: string
902 accessKeyIDSecretRef:
903 description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
904 type: object
905 required:
906 - name
907 properties:
908 key:
909 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
910 type: string
911 name:
912 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
913 type: string
914 hostedZoneID:
915 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
916 type: string
917 region:
918 description: Always set the region when using AccessKeyID and SecretAccessKey
919 type: string
920 role:
921 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
922 type: string
923 secretAccessKeySecretRef:
924 description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
925 type: object
926 required:
927 - name
928 properties:
929 key:
930 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
931 type: string
932 name:
933 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
934 type: string
935 webhook:
936 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
937 type: object
938 required:
939 - groupName
940 - solverName
941 properties:
942 config:
943 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
944 x-kubernetes-preserve-unknown-fields: true
945 groupName:
946 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
947 type: string
948 solverName:
949 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
950 type: string
951 http01:
952 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
953 type: object
954 properties:
955 gatewayHTTPRoute:
956 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
957 type: object
958 properties:
959 labels:
960 description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges.
961 type: object
962 additionalProperties:
963 type: string
964 parentRefs:
965 description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways'
966 type: array
967 items:
968 description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid."
969 type: object
970 required:
971 - name
972 properties:
973 group:
974 description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core"
975 type: string
976 default: gateway.networking.k8s.io
977 maxLength: 253
978 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
979 kind:
980 description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)"
981 type: string
982 default: Gateway
983 maxLength: 63
984 minLength: 1
985 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
986 name:
987 description: "Name is the name of the referent. \n Support: Core"
988 type: string
989 maxLength: 253
990 minLength: 1
991 namespace:
992 description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core"
993 type: string
994 maxLength: 63
995 minLength: 1
996 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
997 port:
998 description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n <gateway:experimental>"
999 type: integer
1000 format: int32
1001 maximum: 65535
1002 minimum: 1
1003 sectionName:
1004 description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core"
1005 type: string
1006 maxLength: 253
1007 minLength: 1
1008 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
1009 serviceType:
1010 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
1011 type: string
1012 ingress:
1013 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
1014 type: object
1015 properties:
1016 class:
1017 description: This field configures the annotation `kubernetes.io/ingress.class` when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of `class`, `name` or `ingressClassName` may be specified.
1018 type: string
1019 ingressClassName:
1020 description: This field configures the field `ingressClassName` on the created Ingress resources used to solve ACME challenges that use this challenge solver. This is the recommended way of configuring the ingress class. Only one of `class`, `name` or `ingressClassName` may be specified.
1021 type: string
1022 ingressTemplate:
1023 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
1024 type: object
1025 properties:
1026 metadata:
1027 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
1028 type: object
1029 properties:
1030 annotations:
1031 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
1032 type: object
1033 additionalProperties:
1034 type: string
1035 labels:
1036 description: Labels that should be added to the created ACME HTTP01 solver ingress.
1037 type: object
1038 additionalProperties:
1039 type: string
1040 name:
1041 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. Only one of `class`, `name` or `ingressClassName` may be specified.
1042 type: string
1043 podTemplate:
1044 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
1045 type: object
1046 properties:
1047 metadata:
1048 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
1049 type: object
1050 properties:
1051 annotations:
1052 description: Annotations that should be added to the create ACME HTTP01 solver pods.
1053 type: object
1054 additionalProperties:
1055 type: string
1056 labels:
1057 description: Labels that should be added to the created ACME HTTP01 solver pods.
1058 type: object
1059 additionalProperties:
1060 type: string
1061 spec:
1062 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. All other fields will be ignored.
1063 type: object
1064 properties:
1065 affinity:
1066 description: If specified, the pod's scheduling constraints
1067 type: object
1068 properties:
1069 nodeAffinity:
1070 description: Describes node affinity scheduling rules for the pod.
1071 type: object
1072 properties:
1073 preferredDuringSchedulingIgnoredDuringExecution:
1074 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
1075 type: array
1076 items:
1077 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
1078 type: object
1079 required:
1080 - preference
1081 - weight
1082 properties:
1083 preference:
1084 description: A node selector term, associated with the corresponding weight.
1085 type: object
1086 properties:
1087 matchExpressions:
1088 description: A list of node selector requirements by node's labels.
1089 type: array
1090 items:
1091 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1092 type: object
1093 required:
1094 - key
1095 - operator
1096 properties:
1097 key:
1098 description: The label key that the selector applies to.
1099 type: string
1100 operator:
1101 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
1102 type: string
1103 values:
1104 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
1105 type: array
1106 items:
1107 type: string
1108 matchFields:
1109 description: A list of node selector requirements by node's fields.
1110 type: array
1111 items:
1112 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1113 type: object
1114 required:
1115 - key
1116 - operator
1117 properties:
1118 key:
1119 description: The label key that the selector applies to.
1120 type: string
1121 operator:
1122 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
1123 type: string
1124 values:
1125 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
1126 type: array
1127 items:
1128 type: string
1129 x-kubernetes-map-type: atomic
1130 weight:
1131 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
1132 type: integer
1133 format: int32
1134 requiredDuringSchedulingIgnoredDuringExecution:
1135 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
1136 type: object
1137 required:
1138 - nodeSelectorTerms
1139 properties:
1140 nodeSelectorTerms:
1141 description: Required. A list of node selector terms. The terms are ORed.
1142 type: array
1143 items:
1144 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
1145 type: object
1146 properties:
1147 matchExpressions:
1148 description: A list of node selector requirements by node's labels.
1149 type: array
1150 items:
1151 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1152 type: object
1153 required:
1154 - key
1155 - operator
1156 properties:
1157 key:
1158 description: The label key that the selector applies to.
1159 type: string
1160 operator:
1161 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
1162 type: string
1163 values:
1164 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
1165 type: array
1166 items:
1167 type: string
1168 matchFields:
1169 description: A list of node selector requirements by node's fields.
1170 type: array
1171 items:
1172 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1173 type: object
1174 required:
1175 - key
1176 - operator
1177 properties:
1178 key:
1179 description: The label key that the selector applies to.
1180 type: string
1181 operator:
1182 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
1183 type: string
1184 values:
1185 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
1186 type: array
1187 items:
1188 type: string
1189 x-kubernetes-map-type: atomic
1190 x-kubernetes-map-type: atomic
1191 podAffinity:
1192 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
1193 type: object
1194 properties:
1195 preferredDuringSchedulingIgnoredDuringExecution:
1196 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
1197 type: array
1198 items:
1199 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
1200 type: object
1201 required:
1202 - podAffinityTerm
1203 - weight
1204 properties:
1205 podAffinityTerm:
1206 description: Required. A pod affinity term, associated with the corresponding weight.
1207 type: object
1208 required:
1209 - topologyKey
1210 properties:
1211 labelSelector:
1212 description: A label query over a set of resources, in this case pods.
1213 type: object
1214 properties:
1215 matchExpressions:
1216 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
1217 type: array
1218 items:
1219 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1220 type: object
1221 required:
1222 - key
1223 - operator
1224 properties:
1225 key:
1226 description: key is the label key that the selector applies to.
1227 type: string
1228 operator:
1229 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
1230 type: string
1231 values:
1232 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
1233 type: array
1234 items:
1235 type: string
1236 matchLabels:
1237 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
1238 type: object
1239 additionalProperties:
1240 type: string
1241 x-kubernetes-map-type: atomic
1242 namespaceSelector:
1243 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
1244 type: object
1245 properties:
1246 matchExpressions:
1247 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
1248 type: array
1249 items:
1250 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1251 type: object
1252 required:
1253 - key
1254 - operator
1255 properties:
1256 key:
1257 description: key is the label key that the selector applies to.
1258 type: string
1259 operator:
1260 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
1261 type: string
1262 values:
1263 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
1264 type: array
1265 items:
1266 type: string
1267 matchLabels:
1268 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
1269 type: object
1270 additionalProperties:
1271 type: string
1272 x-kubernetes-map-type: atomic
1273 namespaces:
1274 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
1275 type: array
1276 items:
1277 type: string
1278 topologyKey:
1279 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
1280 type: string
1281 weight:
1282 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
1283 type: integer
1284 format: int32
1285 requiredDuringSchedulingIgnoredDuringExecution:
1286 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
1287 type: array
1288 items:
1289 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
1290 type: object
1291 required:
1292 - topologyKey
1293 properties:
1294 labelSelector:
1295 description: A label query over a set of resources, in this case pods.
1296 type: object
1297 properties:
1298 matchExpressions:
1299 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
1300 type: array
1301 items:
1302 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1303 type: object
1304 required:
1305 - key
1306 - operator
1307 properties:
1308 key:
1309 description: key is the label key that the selector applies to.
1310 type: string
1311 operator:
1312 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
1313 type: string
1314 values:
1315 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
1316 type: array
1317 items:
1318 type: string
1319 matchLabels:
1320 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
1321 type: object
1322 additionalProperties:
1323 type: string
1324 x-kubernetes-map-type: atomic
1325 namespaceSelector:
1326 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
1327 type: object
1328 properties:
1329 matchExpressions:
1330 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
1331 type: array
1332 items:
1333 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1334 type: object
1335 required:
1336 - key
1337 - operator
1338 properties:
1339 key:
1340 description: key is the label key that the selector applies to.
1341 type: string
1342 operator:
1343 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
1344 type: string
1345 values:
1346 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
1347 type: array
1348 items:
1349 type: string
1350 matchLabels:
1351 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
1352 type: object
1353 additionalProperties:
1354 type: string
1355 x-kubernetes-map-type: atomic
1356 namespaces:
1357 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
1358 type: array
1359 items:
1360 type: string
1361 topologyKey:
1362 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
1363 type: string
1364 podAntiAffinity:
1365 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
1366 type: object
1367 properties:
1368 preferredDuringSchedulingIgnoredDuringExecution:
1369 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
1370 type: array
1371 items:
1372 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
1373 type: object
1374 required:
1375 - podAffinityTerm
1376 - weight
1377 properties:
1378 podAffinityTerm:
1379 description: Required. A pod affinity term, associated with the corresponding weight.
1380 type: object
1381 required:
1382 - topologyKey
1383 properties:
1384 labelSelector:
1385 description: A label query over a set of resources, in this case pods.
1386 type: object
1387 properties:
1388 matchExpressions:
1389 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
1390 type: array
1391 items:
1392 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1393 type: object
1394 required:
1395 - key
1396 - operator
1397 properties:
1398 key:
1399 description: key is the label key that the selector applies to.
1400 type: string
1401 operator:
1402 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
1403 type: string
1404 values:
1405 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
1406 type: array
1407 items:
1408 type: string
1409 matchLabels:
1410 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
1411 type: object
1412 additionalProperties:
1413 type: string
1414 x-kubernetes-map-type: atomic
1415 namespaceSelector:
1416 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
1417 type: object
1418 properties:
1419 matchExpressions:
1420 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
1421 type: array
1422 items:
1423 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1424 type: object
1425 required:
1426 - key
1427 - operator
1428 properties:
1429 key:
1430 description: key is the label key that the selector applies to.
1431 type: string
1432 operator:
1433 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
1434 type: string
1435 values:
1436 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
1437 type: array
1438 items:
1439 type: string
1440 matchLabels:
1441 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
1442 type: object
1443 additionalProperties:
1444 type: string
1445 x-kubernetes-map-type: atomic
1446 namespaces:
1447 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
1448 type: array
1449 items:
1450 type: string
1451 topologyKey:
1452 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
1453 type: string
1454 weight:
1455 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
1456 type: integer
1457 format: int32
1458 requiredDuringSchedulingIgnoredDuringExecution:
1459 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
1460 type: array
1461 items:
1462 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
1463 type: object
1464 required:
1465 - topologyKey
1466 properties:
1467 labelSelector:
1468 description: A label query over a set of resources, in this case pods.
1469 type: object
1470 properties:
1471 matchExpressions:
1472 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
1473 type: array
1474 items:
1475 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1476 type: object
1477 required:
1478 - key
1479 - operator
1480 properties:
1481 key:
1482 description: key is the label key that the selector applies to.
1483 type: string
1484 operator:
1485 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
1486 type: string
1487 values:
1488 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
1489 type: array
1490 items:
1491 type: string
1492 matchLabels:
1493 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
1494 type: object
1495 additionalProperties:
1496 type: string
1497 x-kubernetes-map-type: atomic
1498 namespaceSelector:
1499 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
1500 type: object
1501 properties:
1502 matchExpressions:
1503 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
1504 type: array
1505 items:
1506 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1507 type: object
1508 required:
1509 - key
1510 - operator
1511 properties:
1512 key:
1513 description: key is the label key that the selector applies to.
1514 type: string
1515 operator:
1516 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
1517 type: string
1518 values:
1519 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
1520 type: array
1521 items:
1522 type: string
1523 matchLabels:
1524 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
1525 type: object
1526 additionalProperties:
1527 type: string
1528 x-kubernetes-map-type: atomic
1529 namespaces:
1530 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
1531 type: array
1532 items:
1533 type: string
1534 topologyKey:
1535 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
1536 type: string
1537 imagePullSecrets:
1538 description: If specified, the pod's imagePullSecrets
1539 type: array
1540 items:
1541 description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.
1542 type: object
1543 properties:
1544 name:
1545 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
1546 type: string
1547 x-kubernetes-map-type: atomic
1548 nodeSelector:
1549 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
1550 type: object
1551 additionalProperties:
1552 type: string
1553 priorityClassName:
1554 description: If specified, the pod's priorityClassName.
1555 type: string
1556 serviceAccountName:
1557 description: If specified, the pod's service account
1558 type: string
1559 tolerations:
1560 description: If specified, the pod's tolerations.
1561 type: array
1562 items:
1563 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
1564 type: object
1565 properties:
1566 effect:
1567 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
1568 type: string
1569 key:
1570 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
1571 type: string
1572 operator:
1573 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
1574 type: string
1575 tolerationSeconds:
1576 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
1577 type: integer
1578 format: int64
1579 value:
1580 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
1581 type: string
1582 serviceType:
1583 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
1584 type: string
1585 selector:
1586 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
1587 type: object
1588 properties:
1589 dnsNames:
1590 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
1591 type: array
1592 items:
1593 type: string
1594 dnsZones:
1595 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
1596 type: array
1597 items:
1598 type: string
1599 matchLabels:
1600 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
1601 type: object
1602 additionalProperties:
1603 type: string
1604 token:
1605 description: The ACME challenge token for this challenge. This is the raw value returned from the ACME server.
1606 type: string
1607 type:
1608 description: The type of ACME challenge this resource represents. One of "HTTP-01" or "DNS-01".
1609 type: string
1610 enum:
1611 - HTTP-01
1612 - DNS-01
1613 url:
1614 description: The URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge.
1615 type: string
1616 wildcard:
1617 description: wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'.
1618 type: boolean
1619 status:
1620 type: object
1621 properties:
1622 presented:
1623 description: presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured).
1624 type: boolean
1625 processing:
1626 description: Used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action.
1627 type: boolean
1628 reason:
1629 description: Contains human readable information on why the Challenge is in the current state.
1630 type: string
1631 state:
1632 description: Contains the current 'state' of the challenge. If not set, the state of the challenge is unknown.
1633 type: string
1634 enum:
1635 - valid
1636 - ready
1637 - pending
1638 - processing
1639 - invalid
1640 - expired
1641 - errored
1642 served: true
1643 storage: true
1644 subresources:
1645 status: {}
1646---
1647apiVersion: apiextensions.k8s.io/v1
1648kind: CustomResourceDefinition
1649metadata:
1650 name: clusterissuers.cert-manager.io
1651 labels:
1652 app: '{{ template "cert-manager.name" . }}'
1653 app.kubernetes.io/name: '{{ template "cert-manager.name" . }}'
1654 app.kubernetes.io/instance: "{{ .Release.Name }}"
1655 # Generated labels {{- include "labels" . | nindent 4 }}
1656spec:
1657 group: cert-manager.io
1658 names:
Giorgi Lekveishvilid1234c12023-06-19 10:37:06 +0400[diff] [blame]1659 kind: ClusterIssuer
1660 listKind: ClusterIssuerList
1661 plural: clusterissuers
1662 singular: clusterissuer
1663 categories:
1664 - cert-manager
1665 scope: Cluster
1666 versions:
1667 - name: v1
1668 subresources:
1669 status: {}
1670 additionalPrinterColumns:
1671 - jsonPath: .status.conditions[?(@.type=="Ready")].status
1672 name: Ready
1673 type: string
1674 - jsonPath: .status.conditions[?(@.type=="Ready")].message
1675 name: Status
1676 priority: 1
1677 type: string
1678 - jsonPath: .metadata.creationTimestamp
1679 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
1680 name: Age
1681 type: date
1682 schema:
1683 openAPIV3Schema:
1684 description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent.
1685 type: object
1686 required:
1687 - spec
1688 properties:
1689 apiVersion:
1690 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1691 type: string
1692 kind:
1693 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1694 type: string
1695 metadata:
1696 type: object
1697 spec:
1698 description: Desired state of the ClusterIssuer resource.
1699 type: object
1700 properties:
1701 acme:
1702 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
1703 type: object
1704 required:
1705 - privateKeySecretRef
1706 - server
1707 properties:
1708 caBundle:
1709 description: Base64-encoded bundle of PEM CAs which can be used to validate the certificate chain presented by the ACME server. Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various kinds of security vulnerabilities. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection.
1710 type: string
1711 format: byte
1712 disableAccountKeyGeneration:
1713 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
1714 type: boolean
1715 email:
1716 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
1717 type: string
1718 enableDurationFeature:
1719 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
1720 type: boolean
1721 externalAccountBinding:
1722 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
1723 type: object
1724 required:
1725 - keyID
1726 - keySecretRef
1727 properties:
1728 keyAlgorithm:
1729 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
1730 type: string
1731 enum:
1732 - HS256
1733 - HS384
1734 - HS512
1735 keyID:
1736 description: keyID is the ID of the CA key that the External Account is bound to.
1737 type: string
1738 keySecretRef:
1739 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
1740 type: object
1741 required:
1742 - name
1743 properties:
1744 key:
1745 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1746 type: string
1747 name:
1748 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1749 type: string
1750 preferredChain:
1751 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
1752 type: string
1753 maxLength: 64
1754 privateKeySecretRef:
1755 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
1756 type: object
1757 required:
1758 - name
1759 properties:
1760 key:
1761 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1762 type: string
1763 name:
1764 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1765 type: string
1766 server:
1767 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
1768 type: string
1769 skipTLSVerify:
1770 description: 'INSECURE: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have the TLS certificate chain validated. Mutually exclusive with CABundle; prefer using CABundle to prevent various kinds of security vulnerabilities. Only enable this option in development environments. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. Defaults to false.'
1771 type: boolean
1772 solvers:
1773 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
1774 type: array
1775 items:
1776 description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided.
1777 type: object
1778 properties:
1779 dns01:
1780 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
1781 type: object
1782 properties:
1783 acmeDNS:
1784 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
1785 type: object
1786 required:
1787 - accountSecretRef
1788 - host
1789 properties:
1790 accountSecretRef:
1791 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
1792 type: object
1793 required:
1794 - name
1795 properties:
1796 key:
1797 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1798 type: string
1799 name:
1800 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1801 type: string
1802 host:
1803 type: string
1804 akamai:
1805 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
1806 type: object
1807 required:
1808 - accessTokenSecretRef
1809 - clientSecretSecretRef
1810 - clientTokenSecretRef
1811 - serviceConsumerDomain
1812 properties:
1813 accessTokenSecretRef:
1814 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
1815 type: object
1816 required:
1817 - name
1818 properties:
1819 key:
1820 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1821 type: string
1822 name:
1823 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1824 type: string
1825 clientSecretSecretRef:
1826 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
1827 type: object
1828 required:
1829 - name
1830 properties:
1831 key:
1832 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1833 type: string
1834 name:
1835 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1836 type: string
1837 clientTokenSecretRef:
1838 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
1839 type: object
1840 required:
1841 - name
1842 properties:
1843 key:
1844 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1845 type: string
1846 name:
1847 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1848 type: string
1849 serviceConsumerDomain:
1850 type: string
1851 azureDNS:
1852 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
1853 type: object
1854 required:
1855 - resourceGroupName
1856 - subscriptionID
1857 properties:
1858 clientID:
1859 description: if both this and ClientSecret are left unset MSI will be used
1860 type: string
1861 clientSecretSecretRef:
1862 description: if both this and ClientID are left unset MSI will be used
1863 type: object
1864 required:
1865 - name
1866 properties:
1867 key:
1868 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1869 type: string
1870 name:
1871 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1872 type: string
1873 environment:
1874 description: name of the Azure environment (default AzurePublicCloud)
1875 type: string
1876 enum:
1877 - AzurePublicCloud
1878 - AzureChinaCloud
1879 - AzureGermanCloud
1880 - AzureUSGovernmentCloud
1881 hostedZoneName:
1882 description: name of the DNS zone that should be used
1883 type: string
1884 managedIdentity:
1885 description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID
1886 type: object
1887 properties:
1888 clientID:
1889 description: client ID of the managed identity, can not be used at the same time as resourceID
1890 type: string
1891 resourceID:
1892 description: resource ID of the managed identity, can not be used at the same time as clientID
1893 type: string
1894 resourceGroupName:
1895 description: resource group the DNS zone is located in
1896 type: string
1897 subscriptionID:
1898 description: ID of the Azure subscription
1899 type: string
1900 tenantID:
1901 description: when specifying ClientID and ClientSecret then this field is also needed
1902 type: string
1903 cloudDNS:
1904 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
1905 type: object
1906 required:
1907 - project
1908 properties:
1909 hostedZoneName:
1910 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
1911 type: string
1912 project:
1913 type: string
1914 serviceAccountSecretRef:
1915 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
1916 type: object
1917 required:
1918 - name
1919 properties:
1920 key:
1921 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1922 type: string
1923 name:
1924 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1925 type: string
1926 cloudflare:
1927 description: Use the Cloudflare API to manage DNS01 challenge records.
1928 type: object
1929 properties:
1930 apiKeySecretRef:
1931 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
1932 type: object
1933 required:
1934 - name
1935 properties:
1936 key:
1937 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1938 type: string
1939 name:
1940 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1941 type: string
1942 apiTokenSecretRef:
1943 description: API token used to authenticate with Cloudflare.
1944 type: object
1945 required:
1946 - name
1947 properties:
1948 key:
1949 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1950 type: string
1951 name:
1952 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1953 type: string
1954 email:
1955 description: Email of the account, only required when using API key based authentication.
1956 type: string
1957 cnameStrategy:
1958 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
1959 type: string
1960 enum:
1961 - None
1962 - Follow
1963 digitalocean:
1964 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
1965 type: object
1966 required:
1967 - tokenSecretRef
1968 properties:
1969 tokenSecretRef:
1970 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
1971 type: object
1972 required:
1973 - name
1974 properties:
1975 key:
1976 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1977 type: string
1978 name:
1979 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1980 type: string
1981 rfc2136:
1982 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
1983 type: object
1984 required:
1985 - nameserver
1986 properties:
1987 nameserver:
1988 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
1989 type: string
1990 tsigAlgorithm:
1991 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
1992 type: string
1993 tsigKeyName:
1994 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
1995 type: string
1996 tsigSecretSecretRef:
1997 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
1998 type: object
1999 required:
2000 - name
2001 properties:
2002 key:
2003 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2004 type: string
2005 name:
2006 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2007 type: string
2008 route53:
2009 description: Use the AWS Route53 API to manage DNS01 challenge records.
2010 type: object
2011 required:
2012 - region
2013 properties:
2014 accessKeyID:
2015 description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
2016 type: string
2017 accessKeyIDSecretRef:
2018 description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
2019 type: object
2020 required:
2021 - name
2022 properties:
2023 key:
2024 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2025 type: string
2026 name:
2027 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2028 type: string
2029 hostedZoneID:
2030 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
2031 type: string
2032 region:
2033 description: Always set the region when using AccessKeyID and SecretAccessKey
2034 type: string
2035 role:
2036 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
2037 type: string
2038 secretAccessKeySecretRef:
2039 description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
2040 type: object
2041 required:
2042 - name
2043 properties:
2044 key:
2045 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2046 type: string
2047 name:
2048 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2049 type: string
2050 webhook:
2051 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
2052 type: object
2053 required:
2054 - groupName
2055 - solverName
2056 properties:
2057 config:
2058 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
2059 x-kubernetes-preserve-unknown-fields: true
2060 groupName:
2061 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
2062 type: string
2063 solverName:
2064 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
2065 type: string
2066 http01:
2067 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
2068 type: object
2069 properties:
2070 gatewayHTTPRoute:
2071 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
2072 type: object
2073 properties:
2074 labels:
2075 description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges.
2076 type: object
2077 additionalProperties:
2078 type: string
2079 parentRefs:
2080 description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways'
2081 type: array
2082 items:
2083 description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid."
2084 type: object
2085 required:
2086 - name
2087 properties:
2088 group:
2089 description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core"
2090 type: string
2091 default: gateway.networking.k8s.io
2092 maxLength: 253
2093 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
2094 kind:
2095 description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)"
2096 type: string
2097 default: Gateway
2098 maxLength: 63
2099 minLength: 1
2100 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
2101 name:
2102 description: "Name is the name of the referent. \n Support: Core"
2103 type: string
2104 maxLength: 253
2105 minLength: 1
2106 namespace:
2107 description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core"
2108 type: string
2109 maxLength: 63
2110 minLength: 1
2111 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
2112 port:
2113 description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n <gateway:experimental>"
2114 type: integer
2115 format: int32
2116 maximum: 65535
2117 minimum: 1
2118 sectionName:
2119 description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core"
2120 type: string
2121 maxLength: 253
2122 minLength: 1
2123 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
2124 serviceType:
2125 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
2126 type: string
2127 ingress:
2128 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
2129 type: object
2130 properties:
2131 class:
Giorgi Lekveishvili0048a782023-06-20 18:32:21 +0400[diff] [blame^]2132 description: This field configures the annotation `kubernetes.io/ingress.class` when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of `class`, `name` or `ingressClassName` may be specified.
2133 type: string
2134 ingressClassName:
2135 description: This field configures the field `ingressClassName` on the created Ingress resources used to solve ACME challenges that use this challenge solver. This is the recommended way of configuring the ingress class. Only one of `class`, `name` or `ingressClassName` may be specified.
Giorgi Lekveishvilid1234c12023-06-19 10:37:06 +0400[diff] [blame]2136 type: string
2137 ingressTemplate:
2138 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
2139 type: object
2140 properties:
2141 metadata:
2142 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
2143 type: object
2144 properties:
2145 annotations:
2146 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
2147 type: object
2148 additionalProperties:
2149 type: string
2150 labels:
2151 description: Labels that should be added to the created ACME HTTP01 solver ingress.
2152 type: object
2153 additionalProperties:
2154 type: string
2155 name:
Giorgi Lekveishvili0048a782023-06-20 18:32:21 +0400[diff] [blame^]2156 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. Only one of `class`, `name` or `ingressClassName` may be specified.
Giorgi Lekveishvilid1234c12023-06-19 10:37:06 +0400[diff] [blame]2157 type: string
2158 podTemplate:
2159 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
2160 type: object
2161 properties:
2162 metadata:
2163 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
2164 type: object
2165 properties:
2166 annotations:
2167 description: Annotations that should be added to the create ACME HTTP01 solver pods.
2168 type: object
2169 additionalProperties:
2170 type: string
2171 labels:
2172 description: Labels that should be added to the created ACME HTTP01 solver pods.
2173 type: object
2174 additionalProperties:
2175 type: string
2176 spec:
Giorgi Lekveishvili0048a782023-06-20 18:32:21 +0400[diff] [blame^]2177 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. All other fields will be ignored.
Giorgi Lekveishvilid1234c12023-06-19 10:37:06 +0400[diff] [blame]2178 type: object
2179 properties:
2180 affinity:
2181 description: If specified, the pod's scheduling constraints
2182 type: object
2183 properties:
2184 nodeAffinity:
2185 description: Describes node affinity scheduling rules for the pod.
2186 type: object
2187 properties:
2188 preferredDuringSchedulingIgnoredDuringExecution:
2189 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
2190 type: array
2191 items:
2192 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
2193 type: object
2194 required:
2195 - preference
2196 - weight
2197 properties:
2198 preference:
2199 description: A node selector term, associated with the corresponding weight.
2200 type: object
2201 properties:
2202 matchExpressions:
2203 description: A list of node selector requirements by node's labels.
2204 type: array
2205 items:
2206 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2207 type: object
2208 required:
2209 - key
2210 - operator
2211 properties:
2212 key:
2213 description: The label key that the selector applies to.
2214 type: string
2215 operator:
2216 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2217 type: string
2218 values:
2219 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
2220 type: array
2221 items:
2222 type: string
2223 matchFields:
2224 description: A list of node selector requirements by node's fields.
2225 type: array
2226 items:
2227 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2228 type: object
2229 required:
2230 - key
2231 - operator
2232 properties:
2233 key:
2234 description: The label key that the selector applies to.
2235 type: string
2236 operator:
2237 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2238 type: string
2239 values:
2240 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
2241 type: array
2242 items:
2243 type: string
2244 x-kubernetes-map-type: atomic
2245 weight:
2246 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
2247 type: integer
2248 format: int32
2249 requiredDuringSchedulingIgnoredDuringExecution:
2250 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
2251 type: object
2252 required:
2253 - nodeSelectorTerms
2254 properties:
2255 nodeSelectorTerms:
2256 description: Required. A list of node selector terms. The terms are ORed.
2257 type: array
2258 items:
2259 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
2260 type: object
2261 properties:
2262 matchExpressions:
2263 description: A list of node selector requirements by node's labels.
2264 type: array
2265 items:
2266 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2267 type: object
2268 required:
2269 - key
2270 - operator
2271 properties:
2272 key:
2273 description: The label key that the selector applies to.
2274 type: string
2275 operator:
2276 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2277 type: string
2278 values:
2279 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
2280 type: array
2281 items:
2282 type: string
2283 matchFields:
2284 description: A list of node selector requirements by node's fields.
2285 type: array
2286 items:
2287 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2288 type: object
2289 required:
2290 - key
2291 - operator
2292 properties:
2293 key:
2294 description: The label key that the selector applies to.
2295 type: string
2296 operator:
2297 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2298 type: string
2299 values:
2300 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
2301 type: array
2302 items:
2303 type: string
2304 x-kubernetes-map-type: atomic
2305 x-kubernetes-map-type: atomic
2306 podAffinity:
2307 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
2308 type: object
2309 properties:
2310 preferredDuringSchedulingIgnoredDuringExecution:
2311 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
2312 type: array
2313 items:
2314 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
2315 type: object
2316 required:
2317 - podAffinityTerm
2318 - weight
2319 properties:
2320 podAffinityTerm:
2321 description: Required. A pod affinity term, associated with the corresponding weight.
2322 type: object
2323 required:
2324 - topologyKey
2325 properties:
2326 labelSelector:
2327 description: A label query over a set of resources, in this case pods.
2328 type: object
2329 properties:
2330 matchExpressions:
2331 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2332 type: array
2333 items:
2334 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2335 type: object
2336 required:
2337 - key
2338 - operator
2339 properties:
2340 key:
2341 description: key is the label key that the selector applies to.
2342 type: string
2343 operator:
2344 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2345 type: string
2346 values:
2347 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2348 type: array
2349 items:
2350 type: string
2351 matchLabels:
2352 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2353 type: object
2354 additionalProperties:
2355 type: string
2356 x-kubernetes-map-type: atomic
2357 namespaceSelector:
2358 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
2359 type: object
2360 properties:
2361 matchExpressions:
2362 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2363 type: array
2364 items:
2365 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2366 type: object
2367 required:
2368 - key
2369 - operator
2370 properties:
2371 key:
2372 description: key is the label key that the selector applies to.
2373 type: string
2374 operator:
2375 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2376 type: string
2377 values:
2378 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2379 type: array
2380 items:
2381 type: string
2382 matchLabels:
2383 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2384 type: object
2385 additionalProperties:
2386 type: string
2387 x-kubernetes-map-type: atomic
2388 namespaces:
2389 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
2390 type: array
2391 items:
2392 type: string
2393 topologyKey:
2394 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
2395 type: string
2396 weight:
2397 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
2398 type: integer
2399 format: int32
2400 requiredDuringSchedulingIgnoredDuringExecution:
2401 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
2402 type: array
2403 items:
2404 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
2405 type: object
2406 required:
2407 - topologyKey
2408 properties:
2409 labelSelector:
2410 description: A label query over a set of resources, in this case pods.
2411 type: object
2412 properties:
2413 matchExpressions:
2414 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2415 type: array
2416 items:
2417 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2418 type: object
2419 required:
2420 - key
2421 - operator
2422 properties:
2423 key:
2424 description: key is the label key that the selector applies to.
2425 type: string
2426 operator:
2427 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2428 type: string
2429 values:
2430 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2431 type: array
2432 items:
2433 type: string
2434 matchLabels:
2435 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2436 type: object
2437 additionalProperties:
2438 type: string
2439 x-kubernetes-map-type: atomic
2440 namespaceSelector:
2441 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
2442 type: object
2443 properties:
2444 matchExpressions:
2445 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2446 type: array
2447 items:
2448 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2449 type: object
2450 required:
2451 - key
2452 - operator
2453 properties:
2454 key:
2455 description: key is the label key that the selector applies to.
2456 type: string
2457 operator:
2458 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2459 type: string
2460 values:
2461 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2462 type: array
2463 items:
2464 type: string
2465 matchLabels:
2466 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2467 type: object
2468 additionalProperties:
2469 type: string
2470 x-kubernetes-map-type: atomic
2471 namespaces:
2472 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
2473 type: array
2474 items:
2475 type: string
2476 topologyKey:
2477 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
2478 type: string
2479 podAntiAffinity:
2480 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
2481 type: object
2482 properties:
2483 preferredDuringSchedulingIgnoredDuringExecution:
2484 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
2485 type: array
2486 items:
2487 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
2488 type: object
2489 required:
2490 - podAffinityTerm
2491 - weight
2492 properties:
2493 podAffinityTerm:
2494 description: Required. A pod affinity term, associated with the corresponding weight.
2495 type: object
2496 required:
2497 - topologyKey
2498 properties:
2499 labelSelector:
2500 description: A label query over a set of resources, in this case pods.
2501 type: object
2502 properties:
2503 matchExpressions:
2504 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2505 type: array
2506 items:
2507 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2508 type: object
2509 required:
2510 - key
2511 - operator
2512 properties:
2513 key:
2514 description: key is the label key that the selector applies to.
2515 type: string
2516 operator:
2517 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2518 type: string
2519 values:
2520 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2521 type: array
2522 items:
2523 type: string
2524 matchLabels:
2525 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2526 type: object
2527 additionalProperties:
2528 type: string
2529 x-kubernetes-map-type: atomic
2530 namespaceSelector:
2531 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
2532 type: object
2533 properties:
2534 matchExpressions:
2535 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2536 type: array
2537 items:
2538 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2539 type: object
2540 required:
2541 - key
2542 - operator
2543 properties:
2544 key:
2545 description: key is the label key that the selector applies to.
2546 type: string
2547 operator:
2548 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2549 type: string
2550 values:
2551 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2552 type: array
2553 items:
2554 type: string
2555 matchLabels:
2556 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2557 type: object
2558 additionalProperties:
2559 type: string
2560 x-kubernetes-map-type: atomic
2561 namespaces:
2562 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
2563 type: array
2564 items:
2565 type: string
2566 topologyKey:
2567 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
2568 type: string
2569 weight:
2570 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
2571 type: integer
2572 format: int32
2573 requiredDuringSchedulingIgnoredDuringExecution:
2574 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
2575 type: array
2576 items:
2577 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
2578 type: object
2579 required:
2580 - topologyKey
2581 properties:
2582 labelSelector:
2583 description: A label query over a set of resources, in this case pods.
2584 type: object
2585 properties:
2586 matchExpressions:
2587 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2588 type: array
2589 items:
2590 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2591 type: object
2592 required:
2593 - key
2594 - operator
2595 properties:
2596 key:
2597 description: key is the label key that the selector applies to.
2598 type: string
2599 operator:
2600 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2601 type: string
2602 values:
2603 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2604 type: array
2605 items:
2606 type: string
2607 matchLabels:
2608 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2609 type: object
2610 additionalProperties:
2611 type: string
2612 x-kubernetes-map-type: atomic
2613 namespaceSelector:
2614 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
2615 type: object
2616 properties:
2617 matchExpressions:
2618 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2619 type: array
2620 items:
2621 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2622 type: object
2623 required:
2624 - key
2625 - operator
2626 properties:
2627 key:
2628 description: key is the label key that the selector applies to.
2629 type: string
2630 operator:
2631 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2632 type: string
2633 values:
2634 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2635 type: array
2636 items:
2637 type: string
2638 matchLabels:
2639 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2640 type: object
2641 additionalProperties:
2642 type: string
2643 x-kubernetes-map-type: atomic
2644 namespaces:
2645 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
2646 type: array
2647 items:
2648 type: string
2649 topologyKey:
2650 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
2651 type: string
Giorgi Lekveishvili0048a782023-06-20 18:32:21 +0400[diff] [blame^]2652 imagePullSecrets:
2653 description: If specified, the pod's imagePullSecrets
2654 type: array
2655 items:
2656 description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.
2657 type: object
2658 properties:
2659 name:
2660 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
2661 type: string
2662 x-kubernetes-map-type: atomic
Giorgi Lekveishvilid1234c12023-06-19 10:37:06 +0400[diff] [blame]2663 nodeSelector:
2664 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
2665 type: object
2666 additionalProperties:
2667 type: string
2668 priorityClassName:
2669 description: If specified, the pod's priorityClassName.
2670 type: string
2671 serviceAccountName:
2672 description: If specified, the pod's service account
2673 type: string
2674 tolerations:
2675 description: If specified, the pod's tolerations.
2676 type: array
2677 items:
2678 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
2679 type: object
2680 properties:
2681 effect:
2682 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
2683 type: string
2684 key:
2685 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
2686 type: string
2687 operator:
2688 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
2689 type: string
2690 tolerationSeconds:
2691 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
2692 type: integer
2693 format: int64
2694 value:
2695 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
2696 type: string
2697 serviceType:
2698 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
2699 type: string
2700 selector:
2701 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
2702 type: object
2703 properties:
2704 dnsNames:
2705 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
2706 type: array
2707 items:
2708 type: string
2709 dnsZones:
2710 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
2711 type: array
2712 items:
2713 type: string
2714 matchLabels:
2715 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
2716 type: object
2717 additionalProperties:
2718 type: string
2719 ca:
2720 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
2721 type: object
2722 required:
2723 - secretName
2724 properties:
2725 crlDistributionPoints:
2726 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
2727 type: array
2728 items:
2729 type: string
2730 ocspServers:
2731 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
2732 type: array
2733 items:
2734 type: string
2735 secretName:
2736 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
2737 type: string
2738 selfSigned:
2739 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
2740 type: object
2741 properties:
2742 crlDistributionPoints:
2743 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
2744 type: array
2745 items:
2746 type: string
2747 vault:
2748 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
2749 type: object
2750 required:
2751 - auth
2752 - path
2753 - server
2754 properties:
2755 auth:
2756 description: Auth configures how cert-manager authenticates with the Vault server.
2757 type: object
2758 properties:
2759 appRole:
2760 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
2761 type: object
2762 required:
2763 - path
2764 - roleId
2765 - secretRef
2766 properties:
2767 path:
2768 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
2769 type: string
2770 roleId:
2771 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
2772 type: string
2773 secretRef:
2774 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
2775 type: object
2776 required:
2777 - name
2778 properties:
2779 key:
2780 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2781 type: string
2782 name:
2783 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2784 type: string
2785 kubernetes:
2786 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
2787 type: object
2788 required:
2789 - role
Giorgi Lekveishvilid1234c12023-06-19 10:37:06 +0400[diff] [blame]2790 properties:
2791 mountPath:
2792 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
2793 type: string
2794 role:
2795 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
2796 type: string
2797 secretRef:
2798 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
2799 type: object
2800 required:
2801 - name
2802 properties:
2803 key:
2804 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2805 type: string
2806 name:
2807 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2808 type: string
Giorgi Lekveishvili0048a782023-06-20 18:32:21 +0400[diff] [blame^]2809 serviceAccountRef:
2810 description: A reference to a service account that will be used to request a bound token (also known as "projected token"). Compared to using "secretRef", using this field means that you don't rely on statically bound tokens. To use this field, you must configure an RBAC rule to let cert-manager request a token.
2811 type: object
2812 required:
2813 - name
2814 properties:
2815 name:
2816 description: Name of the ServiceAccount used to request a token.
2817 type: string
Giorgi Lekveishvilid1234c12023-06-19 10:37:06 +0400[diff] [blame]2818 tokenSecretRef:
2819 description: TokenSecretRef authenticates with Vault by presenting a token.
2820 type: object
2821 required:
2822 - name
2823 properties:
2824 key:
2825 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2826 type: string
2827 name:
2828 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2829 type: string
2830 caBundle:
2831 description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by Vault. Only used if using HTTPS to connect to Vault and ignored for HTTP connections. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection.
2832 type: string
2833 format: byte
2834 caBundleSecretRef:
2835 description: Reference to a Secret containing a bundle of PEM-encoded CAs to use when verifying the certificate chain presented by Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
2836 type: object
2837 required:
2838 - name
2839 properties:
2840 key:
2841 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2842 type: string
2843 name:
2844 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2845 type: string
2846 namespace:
2847 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
2848 type: string
2849 path:
2850 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
2851 type: string
2852 server:
2853 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
2854 type: string
2855 venafi:
2856 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
2857 type: object
2858 required:
2859 - zone
2860 properties:
2861 cloud:
2862 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
2863 type: object
2864 required:
2865 - apiTokenSecretRef
2866 properties:
2867 apiTokenSecretRef:
2868 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
2869 type: object
2870 required:
2871 - name
2872 properties:
2873 key:
2874 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2875 type: string
2876 name:
2877 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2878 type: string
2879 url:
2880 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
2881 type: string
2882 tpp:
2883 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
2884 type: object
2885 required:
2886 - credentialsRef
2887 - url
2888 properties:
2889 caBundle:
2890 description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. If undefined, the certificate bundle in the cert-manager controller container is used to validate the chain.
2891 type: string
2892 format: byte
2893 credentialsRef:
2894 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
2895 type: object
2896 required:
2897 - name
2898 properties:
2899 name:
2900 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2901 type: string
2902 url:
2903 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
2904 type: string
2905 zone:
2906 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
2907 type: string
2908 status:
2909 description: Status of the ClusterIssuer. This is set and managed automatically.
2910 type: object
2911 properties:
2912 acme:
2913 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
2914 type: object
2915 properties:
Giorgi Lekveishvili0048a782023-06-20 18:32:21 +0400[diff] [blame^]2916 lastPrivateKeyHash:
2917 description: LastPrivateKeyHash is a hash of the private key associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
2918 type: string
Giorgi Lekveishvilid1234c12023-06-19 10:37:06 +0400[diff] [blame]2919 lastRegisteredEmail:
2920 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
2921 type: string
2922 uri:
2923 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
2924 type: string
2925 conditions:
2926 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
2927 type: array
2928 items:
2929 description: IssuerCondition contains condition information for an Issuer.
2930 type: object
2931 required:
2932 - status
2933 - type
2934 properties:
2935 lastTransitionTime:
2936 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
2937 type: string
2938 format: date-time
2939 message:
2940 description: Message is a human readable description of the details of the last transition, complementing reason.
2941 type: string
2942 observedGeneration:
2943 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
2944 type: integer
2945 format: int64
2946 reason:
2947 description: Reason is a brief machine readable explanation for the condition's last transition.
2948 type: string
2949 status:
2950 description: Status of the condition, one of (`True`, `False`, `Unknown`).
2951 type: string
2952 enum:
2953 - "True"
2954 - "False"
2955 - Unknown
2956 type:
2957 description: Type of the condition, known values are (`Ready`).
2958 type: string
2959 x-kubernetes-list-map-keys:
2960 - type
2961 x-kubernetes-list-type: map
2962 served: true
2963 storage: true
2964---
2965apiVersion: apiextensions.k8s.io/v1
2966kind: CustomResourceDefinition
2967metadata:
Giorgi Lekveishvilid1234c12023-06-19 10:37:06 +0400[diff] [blame]2968 name: issuers.cert-manager.io
2969 labels:
2970 app: '{{ template "cert-manager.name" . }}'
2971 app.kubernetes.io/name: '{{ template "cert-manager.name" . }}'
Giorgi Lekveishvili0048a782023-06-20 18:32:21 +0400[diff] [blame^]2972 app.kubernetes.io/instance: "{{ .Release.Name }}"
Giorgi Lekveishvilid1234c12023-06-19 10:37:06 +0400[diff] [blame]2973 # Generated labels {{- include "labels" . | nindent 4 }}
2974spec:
2975 group: cert-manager.io
2976 names:
2977 kind: Issuer
2978 listKind: IssuerList
2979 plural: issuers
2980 singular: issuer
2981 categories:
2982 - cert-manager
2983 scope: Namespaced
2984 versions:
2985 - name: v1
2986 subresources:
2987 status: {}
2988 additionalPrinterColumns:
2989 - jsonPath: .status.conditions[?(@.type=="Ready")].status
2990 name: Ready
2991 type: string
2992 - jsonPath: .status.conditions[?(@.type=="Ready")].message
2993 name: Status
2994 priority: 1
2995 type: string
2996 - jsonPath: .metadata.creationTimestamp
2997 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
2998 name: Age
2999 type: date
3000 schema:
3001 openAPIV3Schema:
3002 description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace.
3003 type: object
3004 required:
3005 - spec
3006 properties:
3007 apiVersion:
3008 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
3009 type: string
3010 kind:
3011 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
3012 type: string
3013 metadata:
3014 type: object
3015 spec:
3016 description: Desired state of the Issuer resource.
3017 type: object
3018 properties:
3019 acme:
3020 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
3021 type: object
3022 required:
3023 - privateKeySecretRef
3024 - server
3025 properties:
3026 caBundle:
3027 description: Base64-encoded bundle of PEM CAs which can be used to validate the certificate chain presented by the ACME server. Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various kinds of security vulnerabilities. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection.
3028 type: string
3029 format: byte
3030 disableAccountKeyGeneration:
3031 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
3032 type: boolean
3033 email:
3034 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
3035 type: string
3036 enableDurationFeature:
3037 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
3038 type: boolean
3039 externalAccountBinding:
3040 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
3041 type: object
3042 required:
3043 - keyID
3044 - keySecretRef
3045 properties:
3046 keyAlgorithm:
3047 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
3048 type: string
3049 enum:
3050 - HS256
3051 - HS384
3052 - HS512
3053 keyID:
3054 description: keyID is the ID of the CA key that the External Account is bound to.
3055 type: string
3056 keySecretRef:
3057 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
3058 type: object
3059 required:
3060 - name
3061 properties:
3062 key:
3063 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3064 type: string
3065 name:
3066 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3067 type: string
3068 preferredChain:
3069 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
3070 type: string
3071 maxLength: 64
3072 privateKeySecretRef:
3073 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
3074 type: object
3075 required:
3076 - name
3077 properties:
3078 key:
3079 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3080 type: string
3081 name:
3082 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3083 type: string
3084 server:
3085 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
3086 type: string
3087 skipTLSVerify:
3088 description: 'INSECURE: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have the TLS certificate chain validated. Mutually exclusive with CABundle; prefer using CABundle to prevent various kinds of security vulnerabilities. Only enable this option in development environments. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. Defaults to false.'
3089 type: boolean
3090 solvers:
3091 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
3092 type: array
3093 items:
3094 description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided.
3095 type: object
3096 properties:
3097 dns01:
3098 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
3099 type: object
3100 properties:
3101 acmeDNS:
3102 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
3103 type: object
3104 required:
3105 - accountSecretRef
3106 - host
3107 properties:
3108 accountSecretRef:
3109 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3110 type: object
3111 required:
3112 - name
3113 properties:
3114 key:
3115 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3116 type: string
3117 name:
3118 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3119 type: string
3120 host:
3121 type: string
3122 akamai:
3123 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
3124 type: object
3125 required:
3126 - accessTokenSecretRef
3127 - clientSecretSecretRef
3128 - clientTokenSecretRef
3129 - serviceConsumerDomain
3130 properties:
3131 accessTokenSecretRef:
3132 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3133 type: object
3134 required:
3135 - name
3136 properties:
3137 key:
3138 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3139 type: string
3140 name:
3141 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3142 type: string
3143 clientSecretSecretRef:
3144 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3145 type: object
3146 required:
3147 - name
3148 properties:
3149 key:
3150 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3151 type: string
3152 name:
3153 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3154 type: string
3155 clientTokenSecretRef:
3156 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3157 type: object
3158 required:
3159 - name
3160 properties:
3161 key:
3162 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3163 type: string
3164 name:
3165 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3166 type: string
3167 serviceConsumerDomain:
3168 type: string
3169 azureDNS:
3170 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
3171 type: object
3172 required:
3173 - resourceGroupName
3174 - subscriptionID
3175 properties:
3176 clientID:
3177 description: if both this and ClientSecret are left unset MSI will be used
3178 type: string
3179 clientSecretSecretRef:
3180 description: if both this and ClientID are left unset MSI will be used
3181 type: object
3182 required:
3183 - name
3184 properties:
3185 key:
3186 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3187 type: string
3188 name:
3189 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3190 type: string
3191 environment:
3192 description: name of the Azure environment (default AzurePublicCloud)
3193 type: string
3194 enum:
3195 - AzurePublicCloud
3196 - AzureChinaCloud
3197 - AzureGermanCloud
3198 - AzureUSGovernmentCloud
3199 hostedZoneName:
3200 description: name of the DNS zone that should be used
3201 type: string
3202 managedIdentity:
3203 description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID
3204 type: object
3205 properties:
3206 clientID:
3207 description: client ID of the managed identity, can not be used at the same time as resourceID
3208 type: string
3209 resourceID:
3210 description: resource ID of the managed identity, can not be used at the same time as clientID
3211 type: string
3212 resourceGroupName:
3213 description: resource group the DNS zone is located in
3214 type: string
3215 subscriptionID:
3216 description: ID of the Azure subscription
3217 type: string
3218 tenantID:
3219 description: when specifying ClientID and ClientSecret then this field is also needed
3220 type: string
3221 cloudDNS:
3222 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
3223 type: object
3224 required:
3225 - project
3226 properties:
3227 hostedZoneName:
3228 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
3229 type: string
3230 project:
3231 type: string
3232 serviceAccountSecretRef:
3233 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3234 type: object
3235 required:
3236 - name
3237 properties:
3238 key:
3239 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3240 type: string
3241 name:
3242 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3243 type: string
3244 cloudflare:
3245 description: Use the Cloudflare API to manage DNS01 challenge records.
3246 type: object
3247 properties:
3248 apiKeySecretRef:
3249 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
3250 type: object
3251 required:
3252 - name
3253 properties:
3254 key:
3255 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3256 type: string
3257 name:
3258 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3259 type: string
3260 apiTokenSecretRef:
3261 description: API token used to authenticate with Cloudflare.
3262 type: object
3263 required:
3264 - name
3265 properties:
3266 key:
3267 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3268 type: string
3269 name:
3270 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3271 type: string
3272 email:
3273 description: Email of the account, only required when using API key based authentication.
3274 type: string
3275 cnameStrategy:
3276 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
3277 type: string
3278 enum:
3279 - None
3280 - Follow
3281 digitalocean:
3282 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
3283 type: object
3284 required:
3285 - tokenSecretRef
3286 properties:
3287 tokenSecretRef:
3288 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3289 type: object
3290 required:
3291 - name
3292 properties:
3293 key:
3294 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3295 type: string
3296 name:
3297 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3298 type: string
3299 rfc2136:
3300 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
3301 type: object
3302 required:
3303 - nameserver
3304 properties:
3305 nameserver:
3306 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
3307 type: string
3308 tsigAlgorithm:
3309 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
3310 type: string
3311 tsigKeyName:
3312 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
3313 type: string
3314 tsigSecretSecretRef:
3315 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
3316 type: object
3317 required:
3318 - name
3319 properties:
3320 key:
3321 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3322 type: string
3323 name:
3324 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3325 type: string
3326 route53:
3327 description: Use the AWS Route53 API to manage DNS01 challenge records.
3328 type: object
3329 required:
3330 - region
3331 properties:
3332 accessKeyID:
3333 description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
3334 type: string
3335 accessKeyIDSecretRef:
3336 description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
3337 type: object
3338 required:
3339 - name
3340 properties:
3341 key:
3342 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3343 type: string
3344 name:
3345 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3346 type: string
3347 hostedZoneID:
3348 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
3349 type: string
3350 region:
3351 description: Always set the region when using AccessKeyID and SecretAccessKey
3352 type: string
3353 role:
3354 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
3355 type: string
3356 secretAccessKeySecretRef:
3357 description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
3358 type: object
3359 required:
3360 - name
3361 properties:
3362 key:
3363 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3364 type: string
3365 name:
3366 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3367 type: string
3368 webhook:
3369 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
3370 type: object
3371 required:
3372 - groupName
3373 - solverName
3374 properties:
3375 config:
3376 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
3377 x-kubernetes-preserve-unknown-fields: true
3378 groupName:
3379 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
3380 type: string
3381 solverName:
3382 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
3383 type: string
3384 http01:
3385 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
3386 type: object
3387 properties:
3388 gatewayHTTPRoute:
3389 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
3390 type: object
3391 properties:
3392 labels:
3393 description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges.
3394 type: object
3395 additionalProperties:
3396 type: string
3397 parentRefs:
3398 description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways'
3399 type: array
3400 items:
3401 description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid."
3402 type: object
3403 required:
3404 - name
3405 properties:
3406 group:
3407 description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core"
3408 type: string
3409 default: gateway.networking.k8s.io
3410 maxLength: 253
3411 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
3412 kind:
3413 description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)"
3414 type: string
3415 default: Gateway
3416 maxLength: 63
3417 minLength: 1
3418 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
3419 name:
3420 description: "Name is the name of the referent. \n Support: Core"
3421 type: string
3422 maxLength: 253
3423 minLength: 1
3424 namespace:
3425 description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core"
3426 type: string
3427 maxLength: 63
3428 minLength: 1
3429 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
3430 port:
3431 description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n <gateway:experimental>"
3432 type: integer
3433 format: int32
3434 maximum: 65535
3435 minimum: 1
3436 sectionName:
3437 description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core"
3438 type: string
3439 maxLength: 253
3440 minLength: 1
3441 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
3442 serviceType:
3443 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
3444 type: string
3445 ingress:
3446 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
3447 type: object
3448 properties:
3449 class:
Giorgi Lekveishvili0048a782023-06-20 18:32:21 +0400[diff] [blame^]3450 description: This field configures the annotation `kubernetes.io/ingress.class` when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of `class`, `name` or `ingressClassName` may be specified.
3451 type: string
3452 ingressClassName:
3453 description: This field configures the field `ingressClassName` on the created Ingress resources used to solve ACME challenges that use this challenge solver. This is the recommended way of configuring the ingress class. Only one of `class`, `name` or `ingressClassName` may be specified.
Giorgi Lekveishvilid1234c12023-06-19 10:37:06 +0400[diff] [blame]3454 type: string
3455 ingressTemplate:
3456 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
3457 type: object
3458 properties:
3459 metadata:
3460 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
3461 type: object
3462 properties:
3463 annotations:
3464 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
3465 type: object
3466 additionalProperties:
3467 type: string
3468 labels:
3469 description: Labels that should be added to the created ACME HTTP01 solver ingress.
3470 type: object
3471 additionalProperties:
3472 type: string
3473 name:
Giorgi Lekveishvili0048a782023-06-20 18:32:21 +0400[diff] [blame^]3474 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. Only one of `class`, `name` or `ingressClassName` may be specified.
Giorgi Lekveishvilid1234c12023-06-19 10:37:06 +0400[diff] [blame]3475 type: string
3476 podTemplate:
3477 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
3478 type: object
3479 properties:
3480 metadata:
3481 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
3482 type: object
3483 properties:
3484 annotations:
3485 description: Annotations that should be added to the create ACME HTTP01 solver pods.
3486 type: object
3487 additionalProperties:
3488 type: string
3489 labels:
3490 description: Labels that should be added to the created ACME HTTP01 solver pods.
3491 type: object
3492 additionalProperties:
3493 type: string
3494 spec:
Giorgi Lekveishvili0048a782023-06-20 18:32:21 +0400[diff] [blame^]3495 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. All other fields will be ignored.
Giorgi Lekveishvilid1234c12023-06-19 10:37:06 +0400[diff] [blame]3496 type: object
3497 properties:
3498 affinity:
3499 description: If specified, the pod's scheduling constraints
3500 type: object
3501 properties:
3502 nodeAffinity:
3503 description: Describes node affinity scheduling rules for the pod.
3504 type: object
3505 properties:
3506 preferredDuringSchedulingIgnoredDuringExecution:
3507 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
3508 type: array
3509 items:
3510 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
3511 type: object
3512 required:
3513 - preference
3514 - weight
3515 properties:
3516 preference:
3517 description: A node selector term, associated with the corresponding weight.
3518 type: object
3519 properties:
3520 matchExpressions:
3521 description: A list of node selector requirements by node's labels.
3522 type: array
3523 items:
3524 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3525 type: object
3526 required:
3527 - key
3528 - operator
3529 properties:
3530 key:
3531 description: The label key that the selector applies to.
3532 type: string
3533 operator:
3534 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
3535 type: string
3536 values:
3537 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
3538 type: array
3539 items:
3540 type: string
3541 matchFields:
3542 description: A list of node selector requirements by node's fields.
3543 type: array
3544 items:
3545 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3546 type: object
3547 required:
3548 - key
3549 - operator
3550 properties:
3551 key:
3552 description: The label key that the selector applies to.
3553 type: string
3554 operator:
3555 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
3556 type: string
3557 values:
3558 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
3559 type: array
3560 items:
3561 type: string
3562 x-kubernetes-map-type: atomic
3563 weight:
3564 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
3565 type: integer
3566 format: int32
3567 requiredDuringSchedulingIgnoredDuringExecution:
3568 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
3569 type: object
3570 required:
3571 - nodeSelectorTerms
3572 properties:
3573 nodeSelectorTerms:
3574 description: Required. A list of node selector terms. The terms are ORed.
3575 type: array
3576 items:
3577 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
3578 type: object
3579 properties:
3580 matchExpressions:
3581 description: A list of node selector requirements by node's labels.
3582 type: array
3583 items:
3584 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3585 type: object
3586 required:
3587 - key
3588 - operator
3589 properties:
3590 key:
3591 description: The label key that the selector applies to.
3592 type: string
3593 operator:
3594 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
3595 type: string
3596 values:
3597 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
3598 type: array
3599 items:
3600 type: string
3601 matchFields:
3602 description: A list of node selector requirements by node's fields.
3603 type: array
3604 items:
3605 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3606 type: object
3607 required:
3608 - key
3609 - operator
3610 properties:
3611 key:
3612 description: The label key that the selector applies to.
3613 type: string
3614 operator:
3615 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
3616 type: string
3617 values:
3618 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
3619 type: array
3620 items:
3621 type: string
3622 x-kubernetes-map-type: atomic
3623 x-kubernetes-map-type: atomic
3624 podAffinity:
3625 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
3626 type: object
3627 properties:
3628 preferredDuringSchedulingIgnoredDuringExecution:
3629 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
3630 type: array
3631 items:
3632 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
3633 type: object
3634 required:
3635 - podAffinityTerm
3636 - weight
3637 properties:
3638 podAffinityTerm:
3639 description: Required. A pod affinity term, associated with the corresponding weight.
3640 type: object
3641 required:
3642 - topologyKey
3643 properties:
3644 labelSelector:
3645 description: A label query over a set of resources, in this case pods.
3646 type: object
3647 properties:
3648 matchExpressions:
3649 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3650 type: array
3651 items:
3652 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3653 type: object
3654 required:
3655 - key
3656 - operator
3657 properties:
3658 key:
3659 description: key is the label key that the selector applies to.
3660 type: string
3661 operator:
3662 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3663 type: string
3664 values:
3665 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3666 type: array
3667 items:
3668 type: string
3669 matchLabels:
3670 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3671 type: object
3672 additionalProperties:
3673 type: string
3674 x-kubernetes-map-type: atomic
3675 namespaceSelector:
3676 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
3677 type: object
3678 properties:
3679 matchExpressions:
3680 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3681 type: array
3682 items:
3683 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3684 type: object
3685 required:
3686 - key
3687 - operator
3688 properties:
3689 key:
3690 description: key is the label key that the selector applies to.
3691 type: string
3692 operator:
3693 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3694 type: string
3695 values:
3696 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3697 type: array
3698 items:
3699 type: string
3700 matchLabels:
3701 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3702 type: object
3703 additionalProperties:
3704 type: string
3705 x-kubernetes-map-type: atomic
3706 namespaces:
3707 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
3708 type: array
3709 items:
3710 type: string
3711 topologyKey:
3712 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
3713 type: string
3714 weight:
3715 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
3716 type: integer
3717 format: int32
3718 requiredDuringSchedulingIgnoredDuringExecution:
3719 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
3720 type: array
3721 items:
3722 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
3723 type: object
3724 required:
3725 - topologyKey
3726 properties:
3727 labelSelector:
3728 description: A label query over a set of resources, in this case pods.
3729 type: object
3730 properties:
3731 matchExpressions:
3732 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3733 type: array
3734 items:
3735 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3736 type: object
3737 required:
3738 - key
3739 - operator
3740 properties:
3741 key:
3742 description: key is the label key that the selector applies to.
3743 type: string
3744 operator:
3745 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3746 type: string
3747 values:
3748 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3749 type: array
3750 items:
3751 type: string
3752 matchLabels:
3753 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3754 type: object
3755 additionalProperties:
3756 type: string
3757 x-kubernetes-map-type: atomic
3758 namespaceSelector:
3759 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
3760 type: object
3761 properties:
3762 matchExpressions:
3763 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3764 type: array
3765 items:
3766 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3767 type: object
3768 required:
3769 - key
3770 - operator
3771 properties:
3772 key:
3773 description: key is the label key that the selector applies to.
3774 type: string
3775 operator:
3776 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3777 type: string
3778 values:
3779 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3780 type: array
3781 items:
3782 type: string
3783 matchLabels:
3784 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3785 type: object
3786 additionalProperties:
3787 type: string
3788 x-kubernetes-map-type: atomic
3789 namespaces:
3790 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
3791 type: array
3792 items:
3793 type: string
3794 topologyKey:
3795 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
3796 type: string
3797 podAntiAffinity:
3798 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
3799 type: object
3800 properties:
3801 preferredDuringSchedulingIgnoredDuringExecution:
3802 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
3803 type: array
3804 items:
3805 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
3806 type: object
3807 required:
3808 - podAffinityTerm
3809 - weight
3810 properties:
3811 podAffinityTerm:
3812 description: Required. A pod affinity term, associated with the corresponding weight.
3813 type: object
3814 required:
3815 - topologyKey
3816 properties:
3817 labelSelector:
3818 description: A label query over a set of resources, in this case pods.
3819 type: object
3820 properties:
3821 matchExpressions:
3822 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3823 type: array
3824 items:
3825 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3826 type: object
3827 required:
3828 - key
3829 - operator
3830 properties:
3831 key:
3832 description: key is the label key that the selector applies to.
3833 type: string
3834 operator:
3835 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3836 type: string
3837 values:
3838 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3839 type: array
3840 items:
3841 type: string
3842 matchLabels:
3843 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3844 type: object
3845 additionalProperties:
3846 type: string
3847 x-kubernetes-map-type: atomic
3848 namespaceSelector:
3849 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
3850 type: object
3851 properties:
3852 matchExpressions:
3853 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3854 type: array
3855 items:
3856 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3857 type: object
3858 required:
3859 - key
3860 - operator
3861 properties:
3862 key:
3863 description: key is the label key that the selector applies to.
3864 type: string
3865 operator:
3866 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3867 type: string
3868 values:
3869 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3870 type: array
3871 items:
3872 type: string
3873 matchLabels:
3874 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3875 type: object
3876 additionalProperties:
3877 type: string
3878 x-kubernetes-map-type: atomic
3879 namespaces:
3880 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
3881 type: array
3882 items:
3883 type: string
3884 topologyKey:
3885 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
3886 type: string
3887 weight:
3888 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
3889 type: integer
3890 format: int32
3891 requiredDuringSchedulingIgnoredDuringExecution:
3892 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
3893 type: array
3894 items:
3895 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
3896 type: object
3897 required:
3898 - topologyKey
3899 properties:
3900 labelSelector:
3901 description: A label query over a set of resources, in this case pods.
3902 type: object
3903 properties:
3904 matchExpressions:
3905 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3906 type: array
3907 items:
3908 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3909 type: object
3910 required:
3911 - key
3912 - operator
3913 properties:
3914 key:
3915 description: key is the label key that the selector applies to.
3916 type: string
3917 operator:
3918 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3919 type: string
3920 values:
3921 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3922 type: array
3923 items:
3924 type: string
3925 matchLabels:
3926 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3927 type: object
3928 additionalProperties:
3929 type: string
3930 x-kubernetes-map-type: atomic
3931 namespaceSelector:
3932 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
3933 type: object
3934 properties:
3935 matchExpressions:
3936 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3937 type: array
3938 items:
3939 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3940 type: object
3941 required:
3942 - key
3943 - operator
3944 properties:
3945 key:
3946 description: key is the label key that the selector applies to.
3947 type: string
3948 operator:
3949 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3950 type: string
3951 values:
3952 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3953 type: array
3954 items:
3955 type: string
3956 matchLabels:
3957 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3958 type: object
3959 additionalProperties:
3960 type: string
3961 x-kubernetes-map-type: atomic
3962 namespaces:
3963 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
3964 type: array
3965 items:
3966 type: string
3967 topologyKey:
3968 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
3969 type: string
Giorgi Lekveishvili0048a782023-06-20 18:32:21 +0400[diff] [blame^]3970 imagePullSecrets:
3971 description: If specified, the pod's imagePullSecrets
3972 type: array
3973 items:
3974 description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.
3975 type: object
3976 properties:
3977 name:
3978 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
3979 type: string
3980 x-kubernetes-map-type: atomic
Giorgi Lekveishvilid1234c12023-06-19 10:37:06 +0400[diff] [blame]3981 nodeSelector:
3982 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
3983 type: object
3984 additionalProperties:
3985 type: string
3986 priorityClassName:
3987 description: If specified, the pod's priorityClassName.
3988 type: string
3989 serviceAccountName:
3990 description: If specified, the pod's service account
3991 type: string
3992 tolerations:
3993 description: If specified, the pod's tolerations.
3994 type: array
3995 items:
3996 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
3997 type: object
3998 properties:
3999 effect:
4000 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
4001 type: string
4002 key:
4003 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
4004 type: string
4005 operator:
4006 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
4007 type: string
4008 tolerationSeconds:
4009 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
4010 type: integer
4011 format: int64
4012 value:
4013 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
4014 type: string
4015 serviceType:
4016 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
4017 type: string
4018 selector:
4019 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
4020 type: object
4021 properties:
4022 dnsNames:
4023 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
4024 type: array
4025 items:
4026 type: string
4027 dnsZones:
4028 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
4029 type: array
4030 items:
4031 type: string
4032 matchLabels:
4033 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
4034 type: object
4035 additionalProperties:
4036 type: string
4037 ca:
4038 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
4039 type: object
4040 required:
4041 - secretName
4042 properties:
4043 crlDistributionPoints:
4044 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
4045 type: array
4046 items:
4047 type: string
4048 ocspServers:
4049 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
4050 type: array
4051 items:
4052 type: string
4053 secretName:
4054 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
4055 type: string
4056 selfSigned:
4057 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
4058 type: object
4059 properties:
4060 crlDistributionPoints:
4061 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
4062 type: array
4063 items:
4064 type: string
4065 vault:
4066 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
4067 type: object
4068 required:
4069 - auth
4070 - path
4071 - server
4072 properties:
4073 auth:
4074 description: Auth configures how cert-manager authenticates with the Vault server.
4075 type: object
4076 properties:
4077 appRole:
4078 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
4079 type: object
4080 required:
4081 - path
4082 - roleId
4083 - secretRef
4084 properties:
4085 path:
4086 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
4087 type: string
4088 roleId:
4089 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
4090 type: string
4091 secretRef:
4092 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
4093 type: object
4094 required:
4095 - name
4096 properties:
4097 key:
4098 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4099 type: string
4100 name:
4101 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4102 type: string
4103 kubernetes:
4104 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
4105 type: object
4106 required:
4107 - role
Giorgi Lekveishvilid1234c12023-06-19 10:37:06 +0400[diff] [blame]4108 properties:
4109 mountPath:
4110 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
4111 type: string
4112 role:
4113 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
4114 type: string
4115 secretRef:
4116 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
4117 type: object
4118 required:
4119 - name
4120 properties:
4121 key:
4122 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4123 type: string
4124 name:
4125 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4126 type: string
Giorgi Lekveishvili0048a782023-06-20 18:32:21 +0400[diff] [blame^]4127 serviceAccountRef:
4128 description: A reference to a service account that will be used to request a bound token (also known as "projected token"). Compared to using "secretRef", using this field means that you don't rely on statically bound tokens. To use this field, you must configure an RBAC rule to let cert-manager request a token.
4129 type: object
4130 required:
4131 - name
4132 properties:
4133 name:
4134 description: Name of the ServiceAccount used to request a token.
4135 type: string
Giorgi Lekveishvilid1234c12023-06-19 10:37:06 +0400[diff] [blame]4136 tokenSecretRef:
4137 description: TokenSecretRef authenticates with Vault by presenting a token.
4138 type: object
4139 required:
4140 - name
4141 properties:
4142 key:
4143 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4144 type: string
4145 name:
4146 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4147 type: string
4148 caBundle:
4149 description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by Vault. Only used if using HTTPS to connect to Vault and ignored for HTTP connections. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection.
4150 type: string
4151 format: byte
4152 caBundleSecretRef:
4153 description: Reference to a Secret containing a bundle of PEM-encoded CAs to use when verifying the certificate chain presented by Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
4154 type: object
4155 required:
4156 - name
4157 properties:
4158 key:
4159 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4160 type: string
4161 name:
4162 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4163 type: string
4164 namespace:
4165 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
4166 type: string
4167 path:
4168 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
4169 type: string
4170 server:
4171 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
4172 type: string
4173 venafi:
4174 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
4175 type: object
4176 required:
4177 - zone
4178 properties:
4179 cloud:
4180 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
4181 type: object
4182 required:
4183 - apiTokenSecretRef
4184 properties:
4185 apiTokenSecretRef:
4186 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
4187 type: object
4188 required:
4189 - name
4190 properties:
4191 key:
4192 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4193 type: string
4194 name:
4195 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4196 type: string
4197 url:
4198 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
4199 type: string
4200 tpp:
4201 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
4202 type: object
4203 required:
4204 - credentialsRef
4205 - url
4206 properties:
4207 caBundle:
4208 description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. If undefined, the certificate bundle in the cert-manager controller container is used to validate the chain.
4209 type: string
4210 format: byte
4211 credentialsRef:
4212 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
4213 type: object
4214 required:
4215 - name
4216 properties:
4217 name:
4218 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4219 type: string
4220 url:
4221 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
4222 type: string
4223 zone:
4224 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
4225 type: string
4226 status:
4227 description: Status of the Issuer. This is set and managed automatically.
4228 type: object
4229 properties:
4230 acme:
4231 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
4232 type: object
4233 properties:
Giorgi Lekveishvili0048a782023-06-20 18:32:21 +0400[diff] [blame^]4234 lastPrivateKeyHash:
4235 description: LastPrivateKeyHash is a hash of the private key associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
4236 type: string
Giorgi Lekveishvilid1234c12023-06-19 10:37:06 +0400[diff] [blame]4237 lastRegisteredEmail:
4238 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
4239 type: string
4240 uri:
4241 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
4242 type: string
4243 conditions:
4244 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
4245 type: array
4246 items:
4247 description: IssuerCondition contains condition information for an Issuer.
4248 type: object
4249 required:
4250 - status
4251 - type
4252 properties:
4253 lastTransitionTime:
4254 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
4255 type: string
4256 format: date-time
4257 message:
4258 description: Message is a human readable description of the details of the last transition, complementing reason.
4259 type: string
4260 observedGeneration:
4261 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
4262 type: integer
4263 format: int64
4264 reason:
4265 description: Reason is a brief machine readable explanation for the condition's last transition.
4266 type: string
4267 status:
4268 description: Status of the condition, one of (`True`, `False`, `Unknown`).
4269 type: string
4270 enum:
4271 - "True"
4272 - "False"
4273 - Unknown
4274 type:
4275 description: Type of the condition, known values are (`Ready`).
4276 type: string
4277 x-kubernetes-list-map-keys:
4278 - type
4279 x-kubernetes-list-type: map
4280 served: true
4281 storage: true
4282---
4283apiVersion: apiextensions.k8s.io/v1
4284kind: CustomResourceDefinition
4285metadata:
Giorgi Lekveishvilid1234c12023-06-19 10:37:06 +0400[diff] [blame]4286 name: orders.acme.cert-manager.io
4287 labels:
4288 app: '{{ template "cert-manager.name" . }}'
4289 app.kubernetes.io/name: '{{ template "cert-manager.name" . }}'
4290 app.kubernetes.io/instance: '{{ .Release.Name }}'
4291 # Generated labels {{- include "labels" . | nindent 4 }}
4292spec:
4293 group: acme.cert-manager.io
4294 names:
4295 kind: Order
4296 listKind: OrderList
4297 plural: orders
4298 singular: order
4299 categories:
4300 - cert-manager
4301 - cert-manager-acme
4302 scope: Namespaced
4303 versions:
4304 - name: v1
4305 subresources:
4306 status: {}
4307 additionalPrinterColumns:
4308 - jsonPath: .status.state
4309 name: State
4310 type: string
4311 - jsonPath: .spec.issuerRef.name
4312 name: Issuer
4313 priority: 1
4314 type: string
4315 - jsonPath: .status.reason
4316 name: Reason
4317 priority: 1
4318 type: string
4319 - jsonPath: .metadata.creationTimestamp
4320 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
4321 name: Age
4322 type: date
4323 schema:
4324 openAPIV3Schema:
4325 description: Order is a type to represent an Order with an ACME server
4326 type: object
4327 required:
4328 - metadata
4329 - spec
4330 properties:
4331 apiVersion:
4332 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
4333 type: string
4334 kind:
4335 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
4336 type: string
4337 metadata:
4338 type: object
4339 spec:
4340 type: object
4341 required:
4342 - issuerRef
4343 - request
4344 properties:
4345 commonName:
4346 description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
4347 type: string
4348 dnsNames:
4349 description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
4350 type: array
4351 items:
4352 type: string
4353 duration:
4354 description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
4355 type: string
4356 ipAddresses:
4357 description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
4358 type: array
4359 items:
4360 type: string
4361 issuerRef:
4362 description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
4363 type: object
4364 required:
4365 - name
4366 properties:
4367 group:
4368 description: Group of the resource being referred to.
4369 type: string
4370 kind:
4371 description: Kind of the resource being referred to.
4372 type: string
4373 name:
4374 description: Name of the resource being referred to.
4375 type: string
4376 request:
4377 description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
4378 type: string
4379 format: byte
4380 status:
4381 type: object
4382 properties:
4383 authorizations:
4384 description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.
4385 type: array
4386 items:
4387 description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
4388 type: object
4389 required:
4390 - url
4391 properties:
4392 challenges:
4393 description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
4394 type: array
4395 items:
4396 description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
4397 type: object
4398 required:
4399 - token
4400 - type
4401 - url
4402 properties:
4403 token:
4404 description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
4405 type: string
4406 type:
4407 description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.
4408 type: string
4409 url:
4410 description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
4411 type: string
4412 identifier:
4413 description: Identifier is the DNS name to be validated as part of this authorization
4414 type: string
4415 initialState:
4416 description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.
4417 type: string
4418 enum:
4419 - valid
4420 - ready
4421 - pending
4422 - processing
4423 - invalid
4424 - expired
4425 - errored
4426 url:
4427 description: URL is the URL of the Authorization that must be completed
4428 type: string
4429 wildcard:
4430 description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
4431 type: boolean
4432 certificate:
4433 description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
4434 type: string
4435 format: byte
4436 failureTime:
4437 description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
4438 type: string
4439 format: date-time
4440 finalizeURL:
4441 description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
4442 type: string
4443 reason:
4444 description: Reason optionally provides more information about a why the order is in the current state.
4445 type: string
4446 state:
4447 description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
4448 type: string
4449 enum:
4450 - valid
4451 - ready
4452 - pending
4453 - processing
4454 - invalid
4455 - expired
4456 - errored
4457 url:
4458 description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
4459 type: string
4460 served: true
4461 storage: true
4462{{- end }}