Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / ec0f3bba7f213145ce22984cecefaef657745698 / . / charts / cert-manager / templates / crds.yaml
blob: cb097f102de0d479bea61f36c85539321e037e55 [file] [log] [blame]
Giorgi Lekveishvilid1234c12023-06-19 10:37:06 +0400[diff] [blame]1{{- if .Values.installCRDs }}
2apiVersion: apiextensions.k8s.io/v1
3kind: CustomResourceDefinition
4metadata:
5 name: clusterissuers.cert-manager.io
6 labels:
7 app: '{{ template "cert-manager.name" . }}'
8 app.kubernetes.io/name: '{{ template "cert-manager.name" . }}'
9 app.kubernetes.io/instance: '{{ .Release.Name }}'
10 # Generated labels {{- include "labels" . | nindent 4 }}
11spec:
12 group: cert-manager.io
13 names:
14 kind: ClusterIssuer
15 listKind: ClusterIssuerList
16 plural: clusterissuers
17 singular: clusterissuer
18 categories:
19 - cert-manager
20 scope: Cluster
21 versions:
22 - name: v1
23 subresources:
24 status: {}
25 additionalPrinterColumns:
26 - jsonPath: .status.conditions[?(@.type=="Ready")].status
27 name: Ready
28 type: string
29 - jsonPath: .status.conditions[?(@.type=="Ready")].message
30 name: Status
31 priority: 1
32 type: string
33 - jsonPath: .metadata.creationTimestamp
34 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
35 name: Age
36 type: date
37 schema:
38 openAPIV3Schema:
39 description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent.
40 type: object
41 required:
42 - spec
43 properties:
44 apiVersion:
45 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
46 type: string
47 kind:
48 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
49 type: string
50 metadata:
51 type: object
52 spec:
53 description: Desired state of the ClusterIssuer resource.
54 type: object
55 properties:
56 acme:
57 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
58 type: object
59 required:
60 - privateKeySecretRef
61 - server
62 properties:
63 caBundle:
64 description: Base64-encoded bundle of PEM CAs which can be used to validate the certificate chain presented by the ACME server. Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various kinds of security vulnerabilities. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection.
65 type: string
66 format: byte
67 disableAccountKeyGeneration:
68 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
69 type: boolean
70 email:
71 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
72 type: string
73 enableDurationFeature:
74 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
75 type: boolean
76 externalAccountBinding:
77 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
78 type: object
79 required:
80 - keyID
81 - keySecretRef
82 properties:
83 keyAlgorithm:
84 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
85 type: string
86 enum:
87 - HS256
88 - HS384
89 - HS512
90 keyID:
91 description: keyID is the ID of the CA key that the External Account is bound to.
92 type: string
93 keySecretRef:
94 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
95 type: object
96 required:
97 - name
98 properties:
99 key:
100 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
101 type: string
102 name:
103 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
104 type: string
105 preferredChain:
106 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
107 type: string
108 maxLength: 64
109 privateKeySecretRef:
110 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
111 type: object
112 required:
113 - name
114 properties:
115 key:
116 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
117 type: string
118 name:
119 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
120 type: string
121 server:
122 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
123 type: string
124 skipTLSVerify:
125 description: 'INSECURE: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have the TLS certificate chain validated. Mutually exclusive with CABundle; prefer using CABundle to prevent various kinds of security vulnerabilities. Only enable this option in development environments. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. Defaults to false.'
126 type: boolean
127 solvers:
128 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
129 type: array
130 items:
131 description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided.
132 type: object
133 properties:
134 dns01:
135 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
136 type: object
137 properties:
138 acmeDNS:
139 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
140 type: object
141 required:
142 - accountSecretRef
143 - host
144 properties:
145 accountSecretRef:
146 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
147 type: object
148 required:
149 - name
150 properties:
151 key:
152 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
153 type: string
154 name:
155 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
156 type: string
157 host:
158 type: string
159 akamai:
160 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
161 type: object
162 required:
163 - accessTokenSecretRef
164 - clientSecretSecretRef
165 - clientTokenSecretRef
166 - serviceConsumerDomain
167 properties:
168 accessTokenSecretRef:
169 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
170 type: object
171 required:
172 - name
173 properties:
174 key:
175 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
176 type: string
177 name:
178 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
179 type: string
180 clientSecretSecretRef:
181 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
182 type: object
183 required:
184 - name
185 properties:
186 key:
187 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
188 type: string
189 name:
190 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
191 type: string
192 clientTokenSecretRef:
193 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
194 type: object
195 required:
196 - name
197 properties:
198 key:
199 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
200 type: string
201 name:
202 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
203 type: string
204 serviceConsumerDomain:
205 type: string
206 azureDNS:
207 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
208 type: object
209 required:
210 - resourceGroupName
211 - subscriptionID
212 properties:
213 clientID:
214 description: if both this and ClientSecret are left unset MSI will be used
215 type: string
216 clientSecretSecretRef:
217 description: if both this and ClientID are left unset MSI will be used
218 type: object
219 required:
220 - name
221 properties:
222 key:
223 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
224 type: string
225 name:
226 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
227 type: string
228 environment:
229 description: name of the Azure environment (default AzurePublicCloud)
230 type: string
231 enum:
232 - AzurePublicCloud
233 - AzureChinaCloud
234 - AzureGermanCloud
235 - AzureUSGovernmentCloud
236 hostedZoneName:
237 description: name of the DNS zone that should be used
238 type: string
239 managedIdentity:
240 description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID
241 type: object
242 properties:
243 clientID:
244 description: client ID of the managed identity, can not be used at the same time as resourceID
245 type: string
246 resourceID:
247 description: resource ID of the managed identity, can not be used at the same time as clientID
248 type: string
249 resourceGroupName:
250 description: resource group the DNS zone is located in
251 type: string
252 subscriptionID:
253 description: ID of the Azure subscription
254 type: string
255 tenantID:
256 description: when specifying ClientID and ClientSecret then this field is also needed
257 type: string
258 cloudDNS:
259 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
260 type: object
261 required:
262 - project
263 properties:
264 hostedZoneName:
265 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
266 type: string
267 project:
268 type: string
269 serviceAccountSecretRef:
270 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
271 type: object
272 required:
273 - name
274 properties:
275 key:
276 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
277 type: string
278 name:
279 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
280 type: string
281 cloudflare:
282 description: Use the Cloudflare API to manage DNS01 challenge records.
283 type: object
284 properties:
285 apiKeySecretRef:
286 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
287 type: object
288 required:
289 - name
290 properties:
291 key:
292 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
293 type: string
294 name:
295 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
296 type: string
297 apiTokenSecretRef:
298 description: API token used to authenticate with Cloudflare.
299 type: object
300 required:
301 - name
302 properties:
303 key:
304 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
305 type: string
306 name:
307 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
308 type: string
309 email:
310 description: Email of the account, only required when using API key based authentication.
311 type: string
312 cnameStrategy:
313 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
314 type: string
315 enum:
316 - None
317 - Follow
318 digitalocean:
319 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
320 type: object
321 required:
322 - tokenSecretRef
323 properties:
324 tokenSecretRef:
325 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
326 type: object
327 required:
328 - name
329 properties:
330 key:
331 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
332 type: string
333 name:
334 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
335 type: string
336 rfc2136:
337 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
338 type: object
339 required:
340 - nameserver
341 properties:
342 nameserver:
343 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
344 type: string
345 tsigAlgorithm:
346 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
347 type: string
348 tsigKeyName:
349 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
350 type: string
351 tsigSecretSecretRef:
352 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
353 type: object
354 required:
355 - name
356 properties:
357 key:
358 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
359 type: string
360 name:
361 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
362 type: string
363 route53:
364 description: Use the AWS Route53 API to manage DNS01 challenge records.
365 type: object
366 required:
367 - region
368 properties:
369 accessKeyID:
370 description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
371 type: string
372 accessKeyIDSecretRef:
373 description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
374 type: object
375 required:
376 - name
377 properties:
378 key:
379 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
380 type: string
381 name:
382 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
383 type: string
384 hostedZoneID:
385 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
386 type: string
387 region:
388 description: Always set the region when using AccessKeyID and SecretAccessKey
389 type: string
390 role:
391 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
392 type: string
393 secretAccessKeySecretRef:
394 description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
395 type: object
396 required:
397 - name
398 properties:
399 key:
400 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
401 type: string
402 name:
403 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
404 type: string
405 webhook:
406 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
407 type: object
408 required:
409 - groupName
410 - solverName
411 properties:
412 config:
413 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
414 x-kubernetes-preserve-unknown-fields: true
415 groupName:
416 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
417 type: string
418 solverName:
419 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
420 type: string
421 http01:
422 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
423 type: object
424 properties:
425 gatewayHTTPRoute:
426 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
427 type: object
428 properties:
429 labels:
430 description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges.
431 type: object
432 additionalProperties:
433 type: string
434 parentRefs:
435 description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways'
436 type: array
437 items:
438 description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid."
439 type: object
440 required:
441 - name
442 properties:
443 group:
444 description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core"
445 type: string
446 default: gateway.networking.k8s.io
447 maxLength: 253
448 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
449 kind:
450 description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)"
451 type: string
452 default: Gateway
453 maxLength: 63
454 minLength: 1
455 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
456 name:
457 description: "Name is the name of the referent. \n Support: Core"
458 type: string
459 maxLength: 253
460 minLength: 1
461 namespace:
462 description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core"
463 type: string
464 maxLength: 63
465 minLength: 1
466 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
467 port:
468 description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n <gateway:experimental>"
469 type: integer
470 format: int32
471 maximum: 65535
472 minimum: 1
473 sectionName:
474 description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core"
475 type: string
476 maxLength: 253
477 minLength: 1
478 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
479 serviceType:
480 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
481 type: string
482 ingress:
483 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
484 type: object
485 properties:
486 class:
487 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
488 type: string
489 ingressTemplate:
490 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
491 type: object
492 properties:
493 metadata:
494 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
495 type: object
496 properties:
497 annotations:
498 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
499 type: object
500 additionalProperties:
501 type: string
502 labels:
503 description: Labels that should be added to the created ACME HTTP01 solver ingress.
504 type: object
505 additionalProperties:
506 type: string
507 name:
508 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
509 type: string
510 podTemplate:
511 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
512 type: object
513 properties:
514 metadata:
515 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
516 type: object
517 properties:
518 annotations:
519 description: Annotations that should be added to the create ACME HTTP01 solver pods.
520 type: object
521 additionalProperties:
522 type: string
523 labels:
524 description: Labels that should be added to the created ACME HTTP01 solver pods.
525 type: object
526 additionalProperties:
527 type: string
528 spec:
529 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
530 type: object
531 properties:
532 affinity:
533 description: If specified, the pod's scheduling constraints
534 type: object
535 properties:
536 nodeAffinity:
537 description: Describes node affinity scheduling rules for the pod.
538 type: object
539 properties:
540 preferredDuringSchedulingIgnoredDuringExecution:
541 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
542 type: array
543 items:
544 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
545 type: object
546 required:
547 - preference
548 - weight
549 properties:
550 preference:
551 description: A node selector term, associated with the corresponding weight.
552 type: object
553 properties:
554 matchExpressions:
555 description: A list of node selector requirements by node's labels.
556 type: array
557 items:
558 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
559 type: object
560 required:
561 - key
562 - operator
563 properties:
564 key:
565 description: The label key that the selector applies to.
566 type: string
567 operator:
568 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
569 type: string
570 values:
571 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
572 type: array
573 items:
574 type: string
575 matchFields:
576 description: A list of node selector requirements by node's fields.
577 type: array
578 items:
579 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
580 type: object
581 required:
582 - key
583 - operator
584 properties:
585 key:
586 description: The label key that the selector applies to.
587 type: string
588 operator:
589 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
590 type: string
591 values:
592 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
593 type: array
594 items:
595 type: string
596 x-kubernetes-map-type: atomic
597 weight:
598 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
599 type: integer
600 format: int32
601 requiredDuringSchedulingIgnoredDuringExecution:
602 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
603 type: object
604 required:
605 - nodeSelectorTerms
606 properties:
607 nodeSelectorTerms:
608 description: Required. A list of node selector terms. The terms are ORed.
609 type: array
610 items:
611 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
612 type: object
613 properties:
614 matchExpressions:
615 description: A list of node selector requirements by node's labels.
616 type: array
617 items:
618 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
619 type: object
620 required:
621 - key
622 - operator
623 properties:
624 key:
625 description: The label key that the selector applies to.
626 type: string
627 operator:
628 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
629 type: string
630 values:
631 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
632 type: array
633 items:
634 type: string
635 matchFields:
636 description: A list of node selector requirements by node's fields.
637 type: array
638 items:
639 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
640 type: object
641 required:
642 - key
643 - operator
644 properties:
645 key:
646 description: The label key that the selector applies to.
647 type: string
648 operator:
649 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
650 type: string
651 values:
652 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
653 type: array
654 items:
655 type: string
656 x-kubernetes-map-type: atomic
657 x-kubernetes-map-type: atomic
658 podAffinity:
659 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
660 type: object
661 properties:
662 preferredDuringSchedulingIgnoredDuringExecution:
663 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
664 type: array
665 items:
666 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
667 type: object
668 required:
669 - podAffinityTerm
670 - weight
671 properties:
672 podAffinityTerm:
673 description: Required. A pod affinity term, associated with the corresponding weight.
674 type: object
675 required:
676 - topologyKey
677 properties:
678 labelSelector:
679 description: A label query over a set of resources, in this case pods.
680 type: object
681 properties:
682 matchExpressions:
683 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
684 type: array
685 items:
686 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
687 type: object
688 required:
689 - key
690 - operator
691 properties:
692 key:
693 description: key is the label key that the selector applies to.
694 type: string
695 operator:
696 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
697 type: string
698 values:
699 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
700 type: array
701 items:
702 type: string
703 matchLabels:
704 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
705 type: object
706 additionalProperties:
707 type: string
708 x-kubernetes-map-type: atomic
709 namespaceSelector:
710 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
711 type: object
712 properties:
713 matchExpressions:
714 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
715 type: array
716 items:
717 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
718 type: object
719 required:
720 - key
721 - operator
722 properties:
723 key:
724 description: key is the label key that the selector applies to.
725 type: string
726 operator:
727 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
728 type: string
729 values:
730 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
731 type: array
732 items:
733 type: string
734 matchLabels:
735 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
736 type: object
737 additionalProperties:
738 type: string
739 x-kubernetes-map-type: atomic
740 namespaces:
741 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
742 type: array
743 items:
744 type: string
745 topologyKey:
746 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
747 type: string
748 weight:
749 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
750 type: integer
751 format: int32
752 requiredDuringSchedulingIgnoredDuringExecution:
753 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
754 type: array
755 items:
756 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
757 type: object
758 required:
759 - topologyKey
760 properties:
761 labelSelector:
762 description: A label query over a set of resources, in this case pods.
763 type: object
764 properties:
765 matchExpressions:
766 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
767 type: array
768 items:
769 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
770 type: object
771 required:
772 - key
773 - operator
774 properties:
775 key:
776 description: key is the label key that the selector applies to.
777 type: string
778 operator:
779 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
780 type: string
781 values:
782 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
783 type: array
784 items:
785 type: string
786 matchLabels:
787 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
788 type: object
789 additionalProperties:
790 type: string
791 x-kubernetes-map-type: atomic
792 namespaceSelector:
793 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
794 type: object
795 properties:
796 matchExpressions:
797 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
798 type: array
799 items:
800 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
801 type: object
802 required:
803 - key
804 - operator
805 properties:
806 key:
807 description: key is the label key that the selector applies to.
808 type: string
809 operator:
810 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
811 type: string
812 values:
813 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
814 type: array
815 items:
816 type: string
817 matchLabels:
818 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
819 type: object
820 additionalProperties:
821 type: string
822 x-kubernetes-map-type: atomic
823 namespaces:
824 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
825 type: array
826 items:
827 type: string
828 topologyKey:
829 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
830 type: string
831 podAntiAffinity:
832 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
833 type: object
834 properties:
835 preferredDuringSchedulingIgnoredDuringExecution:
836 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
837 type: array
838 items:
839 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
840 type: object
841 required:
842 - podAffinityTerm
843 - weight
844 properties:
845 podAffinityTerm:
846 description: Required. A pod affinity term, associated with the corresponding weight.
847 type: object
848 required:
849 - topologyKey
850 properties:
851 labelSelector:
852 description: A label query over a set of resources, in this case pods.
853 type: object
854 properties:
855 matchExpressions:
856 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
857 type: array
858 items:
859 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
860 type: object
861 required:
862 - key
863 - operator
864 properties:
865 key:
866 description: key is the label key that the selector applies to.
867 type: string
868 operator:
869 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
870 type: string
871 values:
872 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
873 type: array
874 items:
875 type: string
876 matchLabels:
877 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
878 type: object
879 additionalProperties:
880 type: string
881 x-kubernetes-map-type: atomic
882 namespaceSelector:
883 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
884 type: object
885 properties:
886 matchExpressions:
887 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
888 type: array
889 items:
890 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
891 type: object
892 required:
893 - key
894 - operator
895 properties:
896 key:
897 description: key is the label key that the selector applies to.
898 type: string
899 operator:
900 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
901 type: string
902 values:
903 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
904 type: array
905 items:
906 type: string
907 matchLabels:
908 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
909 type: object
910 additionalProperties:
911 type: string
912 x-kubernetes-map-type: atomic
913 namespaces:
914 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
915 type: array
916 items:
917 type: string
918 topologyKey:
919 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
920 type: string
921 weight:
922 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
923 type: integer
924 format: int32
925 requiredDuringSchedulingIgnoredDuringExecution:
926 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
927 type: array
928 items:
929 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
930 type: object
931 required:
932 - topologyKey
933 properties:
934 labelSelector:
935 description: A label query over a set of resources, in this case pods.
936 type: object
937 properties:
938 matchExpressions:
939 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
940 type: array
941 items:
942 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
943 type: object
944 required:
945 - key
946 - operator
947 properties:
948 key:
949 description: key is the label key that the selector applies to.
950 type: string
951 operator:
952 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
953 type: string
954 values:
955 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
956 type: array
957 items:
958 type: string
959 matchLabels:
960 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
961 type: object
962 additionalProperties:
963 type: string
964 x-kubernetes-map-type: atomic
965 namespaceSelector:
966 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
967 type: object
968 properties:
969 matchExpressions:
970 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
971 type: array
972 items:
973 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
974 type: object
975 required:
976 - key
977 - operator
978 properties:
979 key:
980 description: key is the label key that the selector applies to.
981 type: string
982 operator:
983 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
984 type: string
985 values:
986 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
987 type: array
988 items:
989 type: string
990 matchLabels:
991 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
992 type: object
993 additionalProperties:
994 type: string
995 x-kubernetes-map-type: atomic
996 namespaces:
997 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
998 type: array
999 items:
1000 type: string
1001 topologyKey:
1002 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
1003 type: string
1004 nodeSelector:
1005 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
1006 type: object
1007 additionalProperties:
1008 type: string
1009 priorityClassName:
1010 description: If specified, the pod's priorityClassName.
1011 type: string
1012 serviceAccountName:
1013 description: If specified, the pod's service account
1014 type: string
1015 tolerations:
1016 description: If specified, the pod's tolerations.
1017 type: array
1018 items:
1019 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
1020 type: object
1021 properties:
1022 effect:
1023 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
1024 type: string
1025 key:
1026 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
1027 type: string
1028 operator:
1029 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
1030 type: string
1031 tolerationSeconds:
1032 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
1033 type: integer
1034 format: int64
1035 value:
1036 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
1037 type: string
1038 serviceType:
1039 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
1040 type: string
1041 selector:
1042 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
1043 type: object
1044 properties:
1045 dnsNames:
1046 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
1047 type: array
1048 items:
1049 type: string
1050 dnsZones:
1051 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
1052 type: array
1053 items:
1054 type: string
1055 matchLabels:
1056 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
1057 type: object
1058 additionalProperties:
1059 type: string
1060 ca:
1061 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
1062 type: object
1063 required:
1064 - secretName
1065 properties:
1066 crlDistributionPoints:
1067 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
1068 type: array
1069 items:
1070 type: string
1071 ocspServers:
1072 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
1073 type: array
1074 items:
1075 type: string
1076 secretName:
1077 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
1078 type: string
1079 selfSigned:
1080 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
1081 type: object
1082 properties:
1083 crlDistributionPoints:
1084 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
1085 type: array
1086 items:
1087 type: string
1088 vault:
1089 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
1090 type: object
1091 required:
1092 - auth
1093 - path
1094 - server
1095 properties:
1096 auth:
1097 description: Auth configures how cert-manager authenticates with the Vault server.
1098 type: object
1099 properties:
1100 appRole:
1101 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
1102 type: object
1103 required:
1104 - path
1105 - roleId
1106 - secretRef
1107 properties:
1108 path:
1109 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
1110 type: string
1111 roleId:
1112 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
1113 type: string
1114 secretRef:
1115 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
1116 type: object
1117 required:
1118 - name
1119 properties:
1120 key:
1121 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1122 type: string
1123 name:
1124 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1125 type: string
1126 kubernetes:
1127 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
1128 type: object
1129 required:
1130 - role
1131 - secretRef
1132 properties:
1133 mountPath:
1134 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
1135 type: string
1136 role:
1137 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
1138 type: string
1139 secretRef:
1140 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
1141 type: object
1142 required:
1143 - name
1144 properties:
1145 key:
1146 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1147 type: string
1148 name:
1149 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1150 type: string
1151 tokenSecretRef:
1152 description: TokenSecretRef authenticates with Vault by presenting a token.
1153 type: object
1154 required:
1155 - name
1156 properties:
1157 key:
1158 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1159 type: string
1160 name:
1161 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1162 type: string
1163 caBundle:
1164 description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by Vault. Only used if using HTTPS to connect to Vault and ignored for HTTP connections. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection.
1165 type: string
1166 format: byte
1167 caBundleSecretRef:
1168 description: Reference to a Secret containing a bundle of PEM-encoded CAs to use when verifying the certificate chain presented by Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
1169 type: object
1170 required:
1171 - name
1172 properties:
1173 key:
1174 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1175 type: string
1176 name:
1177 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1178 type: string
1179 namespace:
1180 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
1181 type: string
1182 path:
1183 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
1184 type: string
1185 server:
1186 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
1187 type: string
1188 venafi:
1189 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
1190 type: object
1191 required:
1192 - zone
1193 properties:
1194 cloud:
1195 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
1196 type: object
1197 required:
1198 - apiTokenSecretRef
1199 properties:
1200 apiTokenSecretRef:
1201 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
1202 type: object
1203 required:
1204 - name
1205 properties:
1206 key:
1207 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1208 type: string
1209 name:
1210 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1211 type: string
1212 url:
1213 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
1214 type: string
1215 tpp:
1216 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
1217 type: object
1218 required:
1219 - credentialsRef
1220 - url
1221 properties:
1222 caBundle:
1223 description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. If undefined, the certificate bundle in the cert-manager controller container is used to validate the chain.
1224 type: string
1225 format: byte
1226 credentialsRef:
1227 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
1228 type: object
1229 required:
1230 - name
1231 properties:
1232 name:
1233 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1234 type: string
1235 url:
1236 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
1237 type: string
1238 zone:
1239 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
1240 type: string
1241 status:
1242 description: Status of the ClusterIssuer. This is set and managed automatically.
1243 type: object
1244 properties:
1245 acme:
1246 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
1247 type: object
1248 properties:
1249 lastRegisteredEmail:
1250 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
1251 type: string
1252 uri:
1253 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
1254 type: string
1255 conditions:
1256 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
1257 type: array
1258 items:
1259 description: IssuerCondition contains condition information for an Issuer.
1260 type: object
1261 required:
1262 - status
1263 - type
1264 properties:
1265 lastTransitionTime:
1266 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
1267 type: string
1268 format: date-time
1269 message:
1270 description: Message is a human readable description of the details of the last transition, complementing reason.
1271 type: string
1272 observedGeneration:
1273 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
1274 type: integer
1275 format: int64
1276 reason:
1277 description: Reason is a brief machine readable explanation for the condition's last transition.
1278 type: string
1279 status:
1280 description: Status of the condition, one of (`True`, `False`, `Unknown`).
1281 type: string
1282 enum:
1283 - "True"
1284 - "False"
1285 - Unknown
1286 type:
1287 description: Type of the condition, known values are (`Ready`).
1288 type: string
1289 x-kubernetes-list-map-keys:
1290 - type
1291 x-kubernetes-list-type: map
1292 served: true
1293 storage: true
1294---
1295apiVersion: apiextensions.k8s.io/v1
1296kind: CustomResourceDefinition
1297metadata:
1298 name: challenges.acme.cert-manager.io
1299 labels:
1300 app: '{{ template "cert-manager.name" . }}'
1301 app.kubernetes.io/name: '{{ template "cert-manager.name" . }}'
1302 app.kubernetes.io/instance: '{{ .Release.Name }}'
1303 # Generated labels {{- include "labels" . | nindent 4 }}
1304spec:
1305 group: acme.cert-manager.io
1306 names:
1307 kind: Challenge
1308 listKind: ChallengeList
1309 plural: challenges
1310 singular: challenge
1311 categories:
1312 - cert-manager
1313 - cert-manager-acme
1314 scope: Namespaced
1315 versions:
1316 - additionalPrinterColumns:
1317 - jsonPath: .status.state
1318 name: State
1319 type: string
1320 - jsonPath: .spec.dnsName
1321 name: Domain
1322 type: string
1323 - jsonPath: .status.reason
1324 name: Reason
1325 priority: 1
1326 type: string
1327 - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
1328 jsonPath: .metadata.creationTimestamp
1329 name: Age
1330 type: date
1331 name: v1
1332 schema:
1333 openAPIV3Schema:
1334 description: Challenge is a type to represent a Challenge request with an ACME server
1335 type: object
1336 required:
1337 - metadata
1338 - spec
1339 properties:
1340 apiVersion:
1341 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1342 type: string
1343 kind:
1344 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1345 type: string
1346 metadata:
1347 type: object
1348 spec:
1349 type: object
1350 required:
1351 - authorizationURL
1352 - dnsName
1353 - issuerRef
1354 - key
1355 - solver
1356 - token
1357 - type
1358 - url
1359 properties:
1360 authorizationURL:
1361 description: The URL to the ACME Authorization resource that this challenge is a part of.
1362 type: string
1363 dnsName:
1364 description: dnsName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
1365 type: string
1366 issuerRef:
1367 description: References a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed.
1368 type: object
1369 required:
1370 - name
1371 properties:
1372 group:
1373 description: Group of the resource being referred to.
1374 type: string
1375 kind:
1376 description: Kind of the resource being referred to.
1377 type: string
1378 name:
1379 description: Name of the resource being referred to.
1380 type: string
1381 key:
1382 description: 'The ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key from acme server for challenge>`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key from acme server for challenge>` text that must be set as the TXT record content.'
1383 type: string
1384 solver:
1385 description: Contains the domain solving configuration that should be used to solve this challenge resource.
1386 type: object
1387 properties:
1388 dns01:
1389 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
1390 type: object
1391 properties:
1392 acmeDNS:
1393 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
1394 type: object
1395 required:
1396 - accountSecretRef
1397 - host
1398 properties:
1399 accountSecretRef:
1400 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
1401 type: object
1402 required:
1403 - name
1404 properties:
1405 key:
1406 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1407 type: string
1408 name:
1409 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1410 type: string
1411 host:
1412 type: string
1413 akamai:
1414 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
1415 type: object
1416 required:
1417 - accessTokenSecretRef
1418 - clientSecretSecretRef
1419 - clientTokenSecretRef
1420 - serviceConsumerDomain
1421 properties:
1422 accessTokenSecretRef:
1423 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
1424 type: object
1425 required:
1426 - name
1427 properties:
1428 key:
1429 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1430 type: string
1431 name:
1432 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1433 type: string
1434 clientSecretSecretRef:
1435 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
1436 type: object
1437 required:
1438 - name
1439 properties:
1440 key:
1441 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1442 type: string
1443 name:
1444 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1445 type: string
1446 clientTokenSecretRef:
1447 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
1448 type: object
1449 required:
1450 - name
1451 properties:
1452 key:
1453 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1454 type: string
1455 name:
1456 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1457 type: string
1458 serviceConsumerDomain:
1459 type: string
1460 azureDNS:
1461 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
1462 type: object
1463 required:
1464 - resourceGroupName
1465 - subscriptionID
1466 properties:
1467 clientID:
1468 description: if both this and ClientSecret are left unset MSI will be used
1469 type: string
1470 clientSecretSecretRef:
1471 description: if both this and ClientID are left unset MSI will be used
1472 type: object
1473 required:
1474 - name
1475 properties:
1476 key:
1477 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1478 type: string
1479 name:
1480 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1481 type: string
1482 environment:
1483 description: name of the Azure environment (default AzurePublicCloud)
1484 type: string
1485 enum:
1486 - AzurePublicCloud
1487 - AzureChinaCloud
1488 - AzureGermanCloud
1489 - AzureUSGovernmentCloud
1490 hostedZoneName:
1491 description: name of the DNS zone that should be used
1492 type: string
1493 managedIdentity:
1494 description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID
1495 type: object
1496 properties:
1497 clientID:
1498 description: client ID of the managed identity, can not be used at the same time as resourceID
1499 type: string
1500 resourceID:
1501 description: resource ID of the managed identity, can not be used at the same time as clientID
1502 type: string
1503 resourceGroupName:
1504 description: resource group the DNS zone is located in
1505 type: string
1506 subscriptionID:
1507 description: ID of the Azure subscription
1508 type: string
1509 tenantID:
1510 description: when specifying ClientID and ClientSecret then this field is also needed
1511 type: string
1512 cloudDNS:
1513 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
1514 type: object
1515 required:
1516 - project
1517 properties:
1518 hostedZoneName:
1519 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
1520 type: string
1521 project:
1522 type: string
1523 serviceAccountSecretRef:
1524 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
1525 type: object
1526 required:
1527 - name
1528 properties:
1529 key:
1530 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1531 type: string
1532 name:
1533 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1534 type: string
1535 cloudflare:
1536 description: Use the Cloudflare API to manage DNS01 challenge records.
1537 type: object
1538 properties:
1539 apiKeySecretRef:
1540 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
1541 type: object
1542 required:
1543 - name
1544 properties:
1545 key:
1546 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1547 type: string
1548 name:
1549 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1550 type: string
1551 apiTokenSecretRef:
1552 description: API token used to authenticate with Cloudflare.
1553 type: object
1554 required:
1555 - name
1556 properties:
1557 key:
1558 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1559 type: string
1560 name:
1561 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1562 type: string
1563 email:
1564 description: Email of the account, only required when using API key based authentication.
1565 type: string
1566 cnameStrategy:
1567 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
1568 type: string
1569 enum:
1570 - None
1571 - Follow
1572 digitalocean:
1573 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
1574 type: object
1575 required:
1576 - tokenSecretRef
1577 properties:
1578 tokenSecretRef:
1579 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
1580 type: object
1581 required:
1582 - name
1583 properties:
1584 key:
1585 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1586 type: string
1587 name:
1588 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1589 type: string
1590 rfc2136:
1591 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
1592 type: object
1593 required:
1594 - nameserver
1595 properties:
1596 nameserver:
1597 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
1598 type: string
1599 tsigAlgorithm:
1600 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
1601 type: string
1602 tsigKeyName:
1603 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
1604 type: string
1605 tsigSecretSecretRef:
1606 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
1607 type: object
1608 required:
1609 - name
1610 properties:
1611 key:
1612 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1613 type: string
1614 name:
1615 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1616 type: string
1617 route53:
1618 description: Use the AWS Route53 API to manage DNS01 challenge records.
1619 type: object
1620 required:
1621 - region
1622 properties:
1623 accessKeyID:
1624 description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
1625 type: string
1626 accessKeyIDSecretRef:
1627 description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
1628 type: object
1629 required:
1630 - name
1631 properties:
1632 key:
1633 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1634 type: string
1635 name:
1636 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1637 type: string
1638 hostedZoneID:
1639 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
1640 type: string
1641 region:
1642 description: Always set the region when using AccessKeyID and SecretAccessKey
1643 type: string
1644 role:
1645 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
1646 type: string
1647 secretAccessKeySecretRef:
1648 description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
1649 type: object
1650 required:
1651 - name
1652 properties:
1653 key:
1654 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1655 type: string
1656 name:
1657 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1658 type: string
1659 webhook:
1660 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
1661 type: object
1662 required:
1663 - groupName
1664 - solverName
1665 properties:
1666 config:
1667 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
1668 x-kubernetes-preserve-unknown-fields: true
1669 groupName:
1670 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
1671 type: string
1672 solverName:
1673 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
1674 type: string
1675 http01:
1676 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
1677 type: object
1678 properties:
1679 gatewayHTTPRoute:
1680 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
1681 type: object
1682 properties:
1683 labels:
1684 description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges.
1685 type: object
1686 additionalProperties:
1687 type: string
1688 parentRefs:
1689 description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways'
1690 type: array
1691 items:
1692 description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid."
1693 type: object
1694 required:
1695 - name
1696 properties:
1697 group:
1698 description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core"
1699 type: string
1700 default: gateway.networking.k8s.io
1701 maxLength: 253
1702 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
1703 kind:
1704 description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)"
1705 type: string
1706 default: Gateway
1707 maxLength: 63
1708 minLength: 1
1709 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
1710 name:
1711 description: "Name is the name of the referent. \n Support: Core"
1712 type: string
1713 maxLength: 253
1714 minLength: 1
1715 namespace:
1716 description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core"
1717 type: string
1718 maxLength: 63
1719 minLength: 1
1720 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
1721 port:
1722 description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n <gateway:experimental>"
1723 type: integer
1724 format: int32
1725 maximum: 65535
1726 minimum: 1
1727 sectionName:
1728 description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core"
1729 type: string
1730 maxLength: 253
1731 minLength: 1
1732 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
1733 serviceType:
1734 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
1735 type: string
1736 ingress:
1737 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
1738 type: object
1739 properties:
1740 class:
1741 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
1742 type: string
1743 ingressTemplate:
1744 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
1745 type: object
1746 properties:
1747 metadata:
1748 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
1749 type: object
1750 properties:
1751 annotations:
1752 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
1753 type: object
1754 additionalProperties:
1755 type: string
1756 labels:
1757 description: Labels that should be added to the created ACME HTTP01 solver ingress.
1758 type: object
1759 additionalProperties:
1760 type: string
1761 name:
1762 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
1763 type: string
1764 podTemplate:
1765 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
1766 type: object
1767 properties:
1768 metadata:
1769 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
1770 type: object
1771 properties:
1772 annotations:
1773 description: Annotations that should be added to the create ACME HTTP01 solver pods.
1774 type: object
1775 additionalProperties:
1776 type: string
1777 labels:
1778 description: Labels that should be added to the created ACME HTTP01 solver pods.
1779 type: object
1780 additionalProperties:
1781 type: string
1782 spec:
1783 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
1784 type: object
1785 properties:
1786 affinity:
1787 description: If specified, the pod's scheduling constraints
1788 type: object
1789 properties:
1790 nodeAffinity:
1791 description: Describes node affinity scheduling rules for the pod.
1792 type: object
1793 properties:
1794 preferredDuringSchedulingIgnoredDuringExecution:
1795 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
1796 type: array
1797 items:
1798 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
1799 type: object
1800 required:
1801 - preference
1802 - weight
1803 properties:
1804 preference:
1805 description: A node selector term, associated with the corresponding weight.
1806 type: object
1807 properties:
1808 matchExpressions:
1809 description: A list of node selector requirements by node's labels.
1810 type: array
1811 items:
1812 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1813 type: object
1814 required:
1815 - key
1816 - operator
1817 properties:
1818 key:
1819 description: The label key that the selector applies to.
1820 type: string
1821 operator:
1822 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
1823 type: string
1824 values:
1825 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
1826 type: array
1827 items:
1828 type: string
1829 matchFields:
1830 description: A list of node selector requirements by node's fields.
1831 type: array
1832 items:
1833 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1834 type: object
1835 required:
1836 - key
1837 - operator
1838 properties:
1839 key:
1840 description: The label key that the selector applies to.
1841 type: string
1842 operator:
1843 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
1844 type: string
1845 values:
1846 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
1847 type: array
1848 items:
1849 type: string
1850 x-kubernetes-map-type: atomic
1851 weight:
1852 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
1853 type: integer
1854 format: int32
1855 requiredDuringSchedulingIgnoredDuringExecution:
1856 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
1857 type: object
1858 required:
1859 - nodeSelectorTerms
1860 properties:
1861 nodeSelectorTerms:
1862 description: Required. A list of node selector terms. The terms are ORed.
1863 type: array
1864 items:
1865 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
1866 type: object
1867 properties:
1868 matchExpressions:
1869 description: A list of node selector requirements by node's labels.
1870 type: array
1871 items:
1872 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1873 type: object
1874 required:
1875 - key
1876 - operator
1877 properties:
1878 key:
1879 description: The label key that the selector applies to.
1880 type: string
1881 operator:
1882 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
1883 type: string
1884 values:
1885 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
1886 type: array
1887 items:
1888 type: string
1889 matchFields:
1890 description: A list of node selector requirements by node's fields.
1891 type: array
1892 items:
1893 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1894 type: object
1895 required:
1896 - key
1897 - operator
1898 properties:
1899 key:
1900 description: The label key that the selector applies to.
1901 type: string
1902 operator:
1903 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
1904 type: string
1905 values:
1906 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
1907 type: array
1908 items:
1909 type: string
1910 x-kubernetes-map-type: atomic
1911 x-kubernetes-map-type: atomic
1912 podAffinity:
1913 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
1914 type: object
1915 properties:
1916 preferredDuringSchedulingIgnoredDuringExecution:
1917 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
1918 type: array
1919 items:
1920 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
1921 type: object
1922 required:
1923 - podAffinityTerm
1924 - weight
1925 properties:
1926 podAffinityTerm:
1927 description: Required. A pod affinity term, associated with the corresponding weight.
1928 type: object
1929 required:
1930 - topologyKey
1931 properties:
1932 labelSelector:
1933 description: A label query over a set of resources, in this case pods.
1934 type: object
1935 properties:
1936 matchExpressions:
1937 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
1938 type: array
1939 items:
1940 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1941 type: object
1942 required:
1943 - key
1944 - operator
1945 properties:
1946 key:
1947 description: key is the label key that the selector applies to.
1948 type: string
1949 operator:
1950 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
1951 type: string
1952 values:
1953 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
1954 type: array
1955 items:
1956 type: string
1957 matchLabels:
1958 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
1959 type: object
1960 additionalProperties:
1961 type: string
1962 x-kubernetes-map-type: atomic
1963 namespaceSelector:
1964 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
1965 type: object
1966 properties:
1967 matchExpressions:
1968 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
1969 type: array
1970 items:
1971 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1972 type: object
1973 required:
1974 - key
1975 - operator
1976 properties:
1977 key:
1978 description: key is the label key that the selector applies to.
1979 type: string
1980 operator:
1981 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
1982 type: string
1983 values:
1984 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
1985 type: array
1986 items:
1987 type: string
1988 matchLabels:
1989 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
1990 type: object
1991 additionalProperties:
1992 type: string
1993 x-kubernetes-map-type: atomic
1994 namespaces:
1995 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
1996 type: array
1997 items:
1998 type: string
1999 topologyKey:
2000 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
2001 type: string
2002 weight:
2003 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
2004 type: integer
2005 format: int32
2006 requiredDuringSchedulingIgnoredDuringExecution:
2007 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
2008 type: array
2009 items:
2010 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
2011 type: object
2012 required:
2013 - topologyKey
2014 properties:
2015 labelSelector:
2016 description: A label query over a set of resources, in this case pods.
2017 type: object
2018 properties:
2019 matchExpressions:
2020 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2021 type: array
2022 items:
2023 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2024 type: object
2025 required:
2026 - key
2027 - operator
2028 properties:
2029 key:
2030 description: key is the label key that the selector applies to.
2031 type: string
2032 operator:
2033 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2034 type: string
2035 values:
2036 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2037 type: array
2038 items:
2039 type: string
2040 matchLabels:
2041 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2042 type: object
2043 additionalProperties:
2044 type: string
2045 x-kubernetes-map-type: atomic
2046 namespaceSelector:
2047 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
2048 type: object
2049 properties:
2050 matchExpressions:
2051 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2052 type: array
2053 items:
2054 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2055 type: object
2056 required:
2057 - key
2058 - operator
2059 properties:
2060 key:
2061 description: key is the label key that the selector applies to.
2062 type: string
2063 operator:
2064 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2065 type: string
2066 values:
2067 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2068 type: array
2069 items:
2070 type: string
2071 matchLabels:
2072 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2073 type: object
2074 additionalProperties:
2075 type: string
2076 x-kubernetes-map-type: atomic
2077 namespaces:
2078 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
2079 type: array
2080 items:
2081 type: string
2082 topologyKey:
2083 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
2084 type: string
2085 podAntiAffinity:
2086 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
2087 type: object
2088 properties:
2089 preferredDuringSchedulingIgnoredDuringExecution:
2090 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
2091 type: array
2092 items:
2093 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
2094 type: object
2095 required:
2096 - podAffinityTerm
2097 - weight
2098 properties:
2099 podAffinityTerm:
2100 description: Required. A pod affinity term, associated with the corresponding weight.
2101 type: object
2102 required:
2103 - topologyKey
2104 properties:
2105 labelSelector:
2106 description: A label query over a set of resources, in this case pods.
2107 type: object
2108 properties:
2109 matchExpressions:
2110 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2111 type: array
2112 items:
2113 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2114 type: object
2115 required:
2116 - key
2117 - operator
2118 properties:
2119 key:
2120 description: key is the label key that the selector applies to.
2121 type: string
2122 operator:
2123 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2124 type: string
2125 values:
2126 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2127 type: array
2128 items:
2129 type: string
2130 matchLabels:
2131 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2132 type: object
2133 additionalProperties:
2134 type: string
2135 x-kubernetes-map-type: atomic
2136 namespaceSelector:
2137 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
2138 type: object
2139 properties:
2140 matchExpressions:
2141 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2142 type: array
2143 items:
2144 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2145 type: object
2146 required:
2147 - key
2148 - operator
2149 properties:
2150 key:
2151 description: key is the label key that the selector applies to.
2152 type: string
2153 operator:
2154 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2155 type: string
2156 values:
2157 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2158 type: array
2159 items:
2160 type: string
2161 matchLabels:
2162 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2163 type: object
2164 additionalProperties:
2165 type: string
2166 x-kubernetes-map-type: atomic
2167 namespaces:
2168 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
2169 type: array
2170 items:
2171 type: string
2172 topologyKey:
2173 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
2174 type: string
2175 weight:
2176 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
2177 type: integer
2178 format: int32
2179 requiredDuringSchedulingIgnoredDuringExecution:
2180 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
2181 type: array
2182 items:
2183 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
2184 type: object
2185 required:
2186 - topologyKey
2187 properties:
2188 labelSelector:
2189 description: A label query over a set of resources, in this case pods.
2190 type: object
2191 properties:
2192 matchExpressions:
2193 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2194 type: array
2195 items:
2196 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2197 type: object
2198 required:
2199 - key
2200 - operator
2201 properties:
2202 key:
2203 description: key is the label key that the selector applies to.
2204 type: string
2205 operator:
2206 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2207 type: string
2208 values:
2209 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2210 type: array
2211 items:
2212 type: string
2213 matchLabels:
2214 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2215 type: object
2216 additionalProperties:
2217 type: string
2218 x-kubernetes-map-type: atomic
2219 namespaceSelector:
2220 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
2221 type: object
2222 properties:
2223 matchExpressions:
2224 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2225 type: array
2226 items:
2227 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2228 type: object
2229 required:
2230 - key
2231 - operator
2232 properties:
2233 key:
2234 description: key is the label key that the selector applies to.
2235 type: string
2236 operator:
2237 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2238 type: string
2239 values:
2240 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2241 type: array
2242 items:
2243 type: string
2244 matchLabels:
2245 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2246 type: object
2247 additionalProperties:
2248 type: string
2249 x-kubernetes-map-type: atomic
2250 namespaces:
2251 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
2252 type: array
2253 items:
2254 type: string
2255 topologyKey:
2256 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
2257 type: string
2258 nodeSelector:
2259 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
2260 type: object
2261 additionalProperties:
2262 type: string
2263 priorityClassName:
2264 description: If specified, the pod's priorityClassName.
2265 type: string
2266 serviceAccountName:
2267 description: If specified, the pod's service account
2268 type: string
2269 tolerations:
2270 description: If specified, the pod's tolerations.
2271 type: array
2272 items:
2273 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
2274 type: object
2275 properties:
2276 effect:
2277 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
2278 type: string
2279 key:
2280 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
2281 type: string
2282 operator:
2283 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
2284 type: string
2285 tolerationSeconds:
2286 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
2287 type: integer
2288 format: int64
2289 value:
2290 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
2291 type: string
2292 serviceType:
2293 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
2294 type: string
2295 selector:
2296 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
2297 type: object
2298 properties:
2299 dnsNames:
2300 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
2301 type: array
2302 items:
2303 type: string
2304 dnsZones:
2305 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
2306 type: array
2307 items:
2308 type: string
2309 matchLabels:
2310 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
2311 type: object
2312 additionalProperties:
2313 type: string
2314 token:
2315 description: The ACME challenge token for this challenge. This is the raw value returned from the ACME server.
2316 type: string
2317 type:
2318 description: The type of ACME challenge this resource represents. One of "HTTP-01" or "DNS-01".
2319 type: string
2320 enum:
2321 - HTTP-01
2322 - DNS-01
2323 url:
2324 description: The URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge.
2325 type: string
2326 wildcard:
2327 description: wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'.
2328 type: boolean
2329 status:
2330 type: object
2331 properties:
2332 presented:
2333 description: presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured).
2334 type: boolean
2335 processing:
2336 description: Used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action.
2337 type: boolean
2338 reason:
2339 description: Contains human readable information on why the Challenge is in the current state.
2340 type: string
2341 state:
2342 description: Contains the current 'state' of the challenge. If not set, the state of the challenge is unknown.
2343 type: string
2344 enum:
2345 - valid
2346 - ready
2347 - pending
2348 - processing
2349 - invalid
2350 - expired
2351 - errored
2352 served: true
2353 storage: true
2354 subresources:
2355 status: {}
2356---
2357apiVersion: apiextensions.k8s.io/v1
2358kind: CustomResourceDefinition
2359metadata:
2360 name: certificaterequests.cert-manager.io
2361 labels:
2362 app: '{{ template "cert-manager.name" . }}'
2363 app.kubernetes.io/name: '{{ template "cert-manager.name" . }}'
2364 app.kubernetes.io/instance: '{{ .Release.Name }}'
2365 # Generated labels {{- include "labels" . | nindent 4 }}
2366spec:
2367 group: cert-manager.io
2368 names:
2369 kind: CertificateRequest
2370 listKind: CertificateRequestList
2371 plural: certificaterequests
2372 shortNames:
2373 - cr
2374 - crs
2375 singular: certificaterequest
2376 categories:
2377 - cert-manager
2378 scope: Namespaced
2379 versions:
2380 - name: v1
2381 subresources:
2382 status: {}
2383 additionalPrinterColumns:
2384 - jsonPath: .status.conditions[?(@.type=="Approved")].status
2385 name: Approved
2386 type: string
2387 - jsonPath: .status.conditions[?(@.type=="Denied")].status
2388 name: Denied
2389 type: string
2390 - jsonPath: .status.conditions[?(@.type=="Ready")].status
2391 name: Ready
2392 type: string
2393 - jsonPath: .spec.issuerRef.name
2394 name: Issuer
2395 type: string
2396 - jsonPath: .spec.username
2397 name: Requestor
2398 type: string
2399 - jsonPath: .status.conditions[?(@.type=="Ready")].message
2400 name: Status
2401 priority: 1
2402 type: string
2403 - jsonPath: .metadata.creationTimestamp
2404 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
2405 name: Age
2406 type: date
2407 schema:
2408 openAPIV3Schema:
2409 description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used."
2410 type: object
2411 required:
2412 - spec
2413 properties:
2414 apiVersion:
2415 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2416 type: string
2417 kind:
2418 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2419 type: string
2420 metadata:
2421 type: object
2422 spec:
2423 description: Desired state of the CertificateRequest resource.
2424 type: object
2425 required:
2426 - issuerRef
2427 - request
2428 properties:
2429 duration:
2430 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types.
2431 type: string
2432 extra:
2433 description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
2434 type: object
2435 additionalProperties:
2436 type: array
2437 items:
2438 type: string
2439 groups:
2440 description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
2441 type: array
2442 items:
2443 type: string
2444 x-kubernetes-list-type: atomic
2445 isCA:
2446 description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`.
2447 type: boolean
2448 issuerRef:
2449 description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty.
2450 type: object
2451 required:
2452 - name
2453 properties:
2454 group:
2455 description: Group of the resource being referred to.
2456 type: string
2457 kind:
2458 description: Kind of the resource being referred to.
2459 type: string
2460 name:
2461 description: Name of the resource being referred to.
2462 type: string
2463 request:
2464 description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing.
2465 type: string
2466 format: byte
2467 uid:
2468 description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
2469 type: string
2470 usages:
2471 description: Usages is the set of x509 usages that are requested for the certificate. If usages are set they SHOULD be encoded inside the CSR spec Defaults to `digital signature` and `key encipherment` if not specified.
2472 type: array
2473 items:
2474 description: "KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 \n Valid KeyUsage values are as follows: \"signing\", \"digital signature\", \"content commitment\", \"key encipherment\", \"key agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", \"encipher only\", \"decipher only\", \"any\", \"server auth\", \"client auth\", \"code signing\", \"email protection\", \"s/mime\", \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\""
2475 type: string
2476 enum:
2477 - signing
2478 - digital signature
2479 - content commitment
2480 - key encipherment
2481 - key agreement
2482 - data encipherment
2483 - cert sign
2484 - crl sign
2485 - encipher only
2486 - decipher only
2487 - any
2488 - server auth
2489 - client auth
2490 - code signing
2491 - email protection
2492 - s/mime
2493 - ipsec end system
2494 - ipsec tunnel
2495 - ipsec user
2496 - timestamping
2497 - ocsp signing
2498 - microsoft sgc
2499 - netscape sgc
2500 username:
2501 description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
2502 type: string
2503 status:
2504 description: Status of the CertificateRequest. This is set and managed automatically.
2505 type: object
2506 properties:
2507 ca:
2508 description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.
2509 type: string
2510 format: byte
2511 certificate:
2512 description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.
2513 type: string
2514 format: byte
2515 conditions:
2516 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
2517 type: array
2518 items:
2519 description: CertificateRequestCondition contains condition information for a CertificateRequest.
2520 type: object
2521 required:
2522 - status
2523 - type
2524 properties:
2525 lastTransitionTime:
2526 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
2527 type: string
2528 format: date-time
2529 message:
2530 description: Message is a human readable description of the details of the last transition, complementing reason.
2531 type: string
2532 reason:
2533 description: Reason is a brief machine readable explanation for the condition's last transition.
2534 type: string
2535 status:
2536 description: Status of the condition, one of (`True`, `False`, `Unknown`).
2537 type: string
2538 enum:
2539 - "True"
2540 - "False"
2541 - Unknown
2542 type:
2543 description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
2544 type: string
2545 x-kubernetes-list-map-keys:
2546 - type
2547 x-kubernetes-list-type: map
2548 failureTime:
2549 description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
2550 type: string
2551 format: date-time
2552 served: true
2553 storage: true
2554---
2555apiVersion: apiextensions.k8s.io/v1
2556kind: CustomResourceDefinition
2557metadata:
2558 name: issuers.cert-manager.io
2559 labels:
2560 app: '{{ template "cert-manager.name" . }}'
2561 app.kubernetes.io/name: '{{ template "cert-manager.name" . }}'
2562 app.kubernetes.io/instance: '{{ .Release.Name }}'
2563 # Generated labels {{- include "labels" . | nindent 4 }}
2564spec:
2565 group: cert-manager.io
2566 names:
2567 kind: Issuer
2568 listKind: IssuerList
2569 plural: issuers
2570 singular: issuer
2571 categories:
2572 - cert-manager
2573 scope: Namespaced
2574 versions:
2575 - name: v1
2576 subresources:
2577 status: {}
2578 additionalPrinterColumns:
2579 - jsonPath: .status.conditions[?(@.type=="Ready")].status
2580 name: Ready
2581 type: string
2582 - jsonPath: .status.conditions[?(@.type=="Ready")].message
2583 name: Status
2584 priority: 1
2585 type: string
2586 - jsonPath: .metadata.creationTimestamp
2587 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
2588 name: Age
2589 type: date
2590 schema:
2591 openAPIV3Schema:
2592 description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace.
2593 type: object
2594 required:
2595 - spec
2596 properties:
2597 apiVersion:
2598 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2599 type: string
2600 kind:
2601 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2602 type: string
2603 metadata:
2604 type: object
2605 spec:
2606 description: Desired state of the Issuer resource.
2607 type: object
2608 properties:
2609 acme:
2610 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
2611 type: object
2612 required:
2613 - privateKeySecretRef
2614 - server
2615 properties:
2616 caBundle:
2617 description: Base64-encoded bundle of PEM CAs which can be used to validate the certificate chain presented by the ACME server. Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various kinds of security vulnerabilities. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection.
2618 type: string
2619 format: byte
2620 disableAccountKeyGeneration:
2621 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
2622 type: boolean
2623 email:
2624 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
2625 type: string
2626 enableDurationFeature:
2627 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
2628 type: boolean
2629 externalAccountBinding:
2630 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
2631 type: object
2632 required:
2633 - keyID
2634 - keySecretRef
2635 properties:
2636 keyAlgorithm:
2637 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
2638 type: string
2639 enum:
2640 - HS256
2641 - HS384
2642 - HS512
2643 keyID:
2644 description: keyID is the ID of the CA key that the External Account is bound to.
2645 type: string
2646 keySecretRef:
2647 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
2648 type: object
2649 required:
2650 - name
2651 properties:
2652 key:
2653 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2654 type: string
2655 name:
2656 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2657 type: string
2658 preferredChain:
2659 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
2660 type: string
2661 maxLength: 64
2662 privateKeySecretRef:
2663 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
2664 type: object
2665 required:
2666 - name
2667 properties:
2668 key:
2669 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2670 type: string
2671 name:
2672 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2673 type: string
2674 server:
2675 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
2676 type: string
2677 skipTLSVerify:
2678 description: 'INSECURE: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have the TLS certificate chain validated. Mutually exclusive with CABundle; prefer using CABundle to prevent various kinds of security vulnerabilities. Only enable this option in development environments. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. Defaults to false.'
2679 type: boolean
2680 solvers:
2681 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
2682 type: array
2683 items:
2684 description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided.
2685 type: object
2686 properties:
2687 dns01:
2688 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
2689 type: object
2690 properties:
2691 acmeDNS:
2692 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
2693 type: object
2694 required:
2695 - accountSecretRef
2696 - host
2697 properties:
2698 accountSecretRef:
2699 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
2700 type: object
2701 required:
2702 - name
2703 properties:
2704 key:
2705 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2706 type: string
2707 name:
2708 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2709 type: string
2710 host:
2711 type: string
2712 akamai:
2713 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
2714 type: object
2715 required:
2716 - accessTokenSecretRef
2717 - clientSecretSecretRef
2718 - clientTokenSecretRef
2719 - serviceConsumerDomain
2720 properties:
2721 accessTokenSecretRef:
2722 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
2723 type: object
2724 required:
2725 - name
2726 properties:
2727 key:
2728 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2729 type: string
2730 name:
2731 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2732 type: string
2733 clientSecretSecretRef:
2734 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
2735 type: object
2736 required:
2737 - name
2738 properties:
2739 key:
2740 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2741 type: string
2742 name:
2743 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2744 type: string
2745 clientTokenSecretRef:
2746 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
2747 type: object
2748 required:
2749 - name
2750 properties:
2751 key:
2752 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2753 type: string
2754 name:
2755 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2756 type: string
2757 serviceConsumerDomain:
2758 type: string
2759 azureDNS:
2760 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
2761 type: object
2762 required:
2763 - resourceGroupName
2764 - subscriptionID
2765 properties:
2766 clientID:
2767 description: if both this and ClientSecret are left unset MSI will be used
2768 type: string
2769 clientSecretSecretRef:
2770 description: if both this and ClientID are left unset MSI will be used
2771 type: object
2772 required:
2773 - name
2774 properties:
2775 key:
2776 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2777 type: string
2778 name:
2779 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2780 type: string
2781 environment:
2782 description: name of the Azure environment (default AzurePublicCloud)
2783 type: string
2784 enum:
2785 - AzurePublicCloud
2786 - AzureChinaCloud
2787 - AzureGermanCloud
2788 - AzureUSGovernmentCloud
2789 hostedZoneName:
2790 description: name of the DNS zone that should be used
2791 type: string
2792 managedIdentity:
2793 description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID
2794 type: object
2795 properties:
2796 clientID:
2797 description: client ID of the managed identity, can not be used at the same time as resourceID
2798 type: string
2799 resourceID:
2800 description: resource ID of the managed identity, can not be used at the same time as clientID
2801 type: string
2802 resourceGroupName:
2803 description: resource group the DNS zone is located in
2804 type: string
2805 subscriptionID:
2806 description: ID of the Azure subscription
2807 type: string
2808 tenantID:
2809 description: when specifying ClientID and ClientSecret then this field is also needed
2810 type: string
2811 cloudDNS:
2812 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
2813 type: object
2814 required:
2815 - project
2816 properties:
2817 hostedZoneName:
2818 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
2819 type: string
2820 project:
2821 type: string
2822 serviceAccountSecretRef:
2823 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
2824 type: object
2825 required:
2826 - name
2827 properties:
2828 key:
2829 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2830 type: string
2831 name:
2832 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2833 type: string
2834 cloudflare:
2835 description: Use the Cloudflare API to manage DNS01 challenge records.
2836 type: object
2837 properties:
2838 apiKeySecretRef:
2839 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
2840 type: object
2841 required:
2842 - name
2843 properties:
2844 key:
2845 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2846 type: string
2847 name:
2848 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2849 type: string
2850 apiTokenSecretRef:
2851 description: API token used to authenticate with Cloudflare.
2852 type: object
2853 required:
2854 - name
2855 properties:
2856 key:
2857 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2858 type: string
2859 name:
2860 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2861 type: string
2862 email:
2863 description: Email of the account, only required when using API key based authentication.
2864 type: string
2865 cnameStrategy:
2866 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
2867 type: string
2868 enum:
2869 - None
2870 - Follow
2871 digitalocean:
2872 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
2873 type: object
2874 required:
2875 - tokenSecretRef
2876 properties:
2877 tokenSecretRef:
2878 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
2879 type: object
2880 required:
2881 - name
2882 properties:
2883 key:
2884 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2885 type: string
2886 name:
2887 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2888 type: string
2889 rfc2136:
2890 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
2891 type: object
2892 required:
2893 - nameserver
2894 properties:
2895 nameserver:
2896 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
2897 type: string
2898 tsigAlgorithm:
2899 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
2900 type: string
2901 tsigKeyName:
2902 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
2903 type: string
2904 tsigSecretSecretRef:
2905 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
2906 type: object
2907 required:
2908 - name
2909 properties:
2910 key:
2911 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2912 type: string
2913 name:
2914 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2915 type: string
2916 route53:
2917 description: Use the AWS Route53 API to manage DNS01 challenge records.
2918 type: object
2919 required:
2920 - region
2921 properties:
2922 accessKeyID:
2923 description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
2924 type: string
2925 accessKeyIDSecretRef:
2926 description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
2927 type: object
2928 required:
2929 - name
2930 properties:
2931 key:
2932 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2933 type: string
2934 name:
2935 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2936 type: string
2937 hostedZoneID:
2938 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
2939 type: string
2940 region:
2941 description: Always set the region when using AccessKeyID and SecretAccessKey
2942 type: string
2943 role:
2944 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
2945 type: string
2946 secretAccessKeySecretRef:
2947 description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
2948 type: object
2949 required:
2950 - name
2951 properties:
2952 key:
2953 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2954 type: string
2955 name:
2956 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2957 type: string
2958 webhook:
2959 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
2960 type: object
2961 required:
2962 - groupName
2963 - solverName
2964 properties:
2965 config:
2966 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
2967 x-kubernetes-preserve-unknown-fields: true
2968 groupName:
2969 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
2970 type: string
2971 solverName:
2972 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
2973 type: string
2974 http01:
2975 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
2976 type: object
2977 properties:
2978 gatewayHTTPRoute:
2979 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
2980 type: object
2981 properties:
2982 labels:
2983 description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges.
2984 type: object
2985 additionalProperties:
2986 type: string
2987 parentRefs:
2988 description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways'
2989 type: array
2990 items:
2991 description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid."
2992 type: object
2993 required:
2994 - name
2995 properties:
2996 group:
2997 description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core"
2998 type: string
2999 default: gateway.networking.k8s.io
3000 maxLength: 253
3001 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
3002 kind:
3003 description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)"
3004 type: string
3005 default: Gateway
3006 maxLength: 63
3007 minLength: 1
3008 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
3009 name:
3010 description: "Name is the name of the referent. \n Support: Core"
3011 type: string
3012 maxLength: 253
3013 minLength: 1
3014 namespace:
3015 description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core"
3016 type: string
3017 maxLength: 63
3018 minLength: 1
3019 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
3020 port:
3021 description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n <gateway:experimental>"
3022 type: integer
3023 format: int32
3024 maximum: 65535
3025 minimum: 1
3026 sectionName:
3027 description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core"
3028 type: string
3029 maxLength: 253
3030 minLength: 1
3031 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
3032 serviceType:
3033 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
3034 type: string
3035 ingress:
3036 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
3037 type: object
3038 properties:
3039 class:
3040 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
3041 type: string
3042 ingressTemplate:
3043 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
3044 type: object
3045 properties:
3046 metadata:
3047 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
3048 type: object
3049 properties:
3050 annotations:
3051 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
3052 type: object
3053 additionalProperties:
3054 type: string
3055 labels:
3056 description: Labels that should be added to the created ACME HTTP01 solver ingress.
3057 type: object
3058 additionalProperties:
3059 type: string
3060 name:
3061 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
3062 type: string
3063 podTemplate:
3064 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
3065 type: object
3066 properties:
3067 metadata:
3068 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
3069 type: object
3070 properties:
3071 annotations:
3072 description: Annotations that should be added to the create ACME HTTP01 solver pods.
3073 type: object
3074 additionalProperties:
3075 type: string
3076 labels:
3077 description: Labels that should be added to the created ACME HTTP01 solver pods.
3078 type: object
3079 additionalProperties:
3080 type: string
3081 spec:
3082 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
3083 type: object
3084 properties:
3085 affinity:
3086 description: If specified, the pod's scheduling constraints
3087 type: object
3088 properties:
3089 nodeAffinity:
3090 description: Describes node affinity scheduling rules for the pod.
3091 type: object
3092 properties:
3093 preferredDuringSchedulingIgnoredDuringExecution:
3094 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
3095 type: array
3096 items:
3097 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
3098 type: object
3099 required:
3100 - preference
3101 - weight
3102 properties:
3103 preference:
3104 description: A node selector term, associated with the corresponding weight.
3105 type: object
3106 properties:
3107 matchExpressions:
3108 description: A list of node selector requirements by node's labels.
3109 type: array
3110 items:
3111 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3112 type: object
3113 required:
3114 - key
3115 - operator
3116 properties:
3117 key:
3118 description: The label key that the selector applies to.
3119 type: string
3120 operator:
3121 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
3122 type: string
3123 values:
3124 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
3125 type: array
3126 items:
3127 type: string
3128 matchFields:
3129 description: A list of node selector requirements by node's fields.
3130 type: array
3131 items:
3132 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3133 type: object
3134 required:
3135 - key
3136 - operator
3137 properties:
3138 key:
3139 description: The label key that the selector applies to.
3140 type: string
3141 operator:
3142 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
3143 type: string
3144 values:
3145 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
3146 type: array
3147 items:
3148 type: string
3149 x-kubernetes-map-type: atomic
3150 weight:
3151 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
3152 type: integer
3153 format: int32
3154 requiredDuringSchedulingIgnoredDuringExecution:
3155 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
3156 type: object
3157 required:
3158 - nodeSelectorTerms
3159 properties:
3160 nodeSelectorTerms:
3161 description: Required. A list of node selector terms. The terms are ORed.
3162 type: array
3163 items:
3164 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
3165 type: object
3166 properties:
3167 matchExpressions:
3168 description: A list of node selector requirements by node's labels.
3169 type: array
3170 items:
3171 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3172 type: object
3173 required:
3174 - key
3175 - operator
3176 properties:
3177 key:
3178 description: The label key that the selector applies to.
3179 type: string
3180 operator:
3181 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
3182 type: string
3183 values:
3184 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
3185 type: array
3186 items:
3187 type: string
3188 matchFields:
3189 description: A list of node selector requirements by node's fields.
3190 type: array
3191 items:
3192 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3193 type: object
3194 required:
3195 - key
3196 - operator
3197 properties:
3198 key:
3199 description: The label key that the selector applies to.
3200 type: string
3201 operator:
3202 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
3203 type: string
3204 values:
3205 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
3206 type: array
3207 items:
3208 type: string
3209 x-kubernetes-map-type: atomic
3210 x-kubernetes-map-type: atomic
3211 podAffinity:
3212 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
3213 type: object
3214 properties:
3215 preferredDuringSchedulingIgnoredDuringExecution:
3216 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
3217 type: array
3218 items:
3219 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
3220 type: object
3221 required:
3222 - podAffinityTerm
3223 - weight
3224 properties:
3225 podAffinityTerm:
3226 description: Required. A pod affinity term, associated with the corresponding weight.
3227 type: object
3228 required:
3229 - topologyKey
3230 properties:
3231 labelSelector:
3232 description: A label query over a set of resources, in this case pods.
3233 type: object
3234 properties:
3235 matchExpressions:
3236 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3237 type: array
3238 items:
3239 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3240 type: object
3241 required:
3242 - key
3243 - operator
3244 properties:
3245 key:
3246 description: key is the label key that the selector applies to.
3247 type: string
3248 operator:
3249 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3250 type: string
3251 values:
3252 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3253 type: array
3254 items:
3255 type: string
3256 matchLabels:
3257 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3258 type: object
3259 additionalProperties:
3260 type: string
3261 x-kubernetes-map-type: atomic
3262 namespaceSelector:
3263 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
3264 type: object
3265 properties:
3266 matchExpressions:
3267 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3268 type: array
3269 items:
3270 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3271 type: object
3272 required:
3273 - key
3274 - operator
3275 properties:
3276 key:
3277 description: key is the label key that the selector applies to.
3278 type: string
3279 operator:
3280 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3281 type: string
3282 values:
3283 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3284 type: array
3285 items:
3286 type: string
3287 matchLabels:
3288 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3289 type: object
3290 additionalProperties:
3291 type: string
3292 x-kubernetes-map-type: atomic
3293 namespaces:
3294 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
3295 type: array
3296 items:
3297 type: string
3298 topologyKey:
3299 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
3300 type: string
3301 weight:
3302 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
3303 type: integer
3304 format: int32
3305 requiredDuringSchedulingIgnoredDuringExecution:
3306 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
3307 type: array
3308 items:
3309 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
3310 type: object
3311 required:
3312 - topologyKey
3313 properties:
3314 labelSelector:
3315 description: A label query over a set of resources, in this case pods.
3316 type: object
3317 properties:
3318 matchExpressions:
3319 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3320 type: array
3321 items:
3322 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3323 type: object
3324 required:
3325 - key
3326 - operator
3327 properties:
3328 key:
3329 description: key is the label key that the selector applies to.
3330 type: string
3331 operator:
3332 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3333 type: string
3334 values:
3335 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3336 type: array
3337 items:
3338 type: string
3339 matchLabels:
3340 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3341 type: object
3342 additionalProperties:
3343 type: string
3344 x-kubernetes-map-type: atomic
3345 namespaceSelector:
3346 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
3347 type: object
3348 properties:
3349 matchExpressions:
3350 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3351 type: array
3352 items:
3353 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3354 type: object
3355 required:
3356 - key
3357 - operator
3358 properties:
3359 key:
3360 description: key is the label key that the selector applies to.
3361 type: string
3362 operator:
3363 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3364 type: string
3365 values:
3366 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3367 type: array
3368 items:
3369 type: string
3370 matchLabels:
3371 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3372 type: object
3373 additionalProperties:
3374 type: string
3375 x-kubernetes-map-type: atomic
3376 namespaces:
3377 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
3378 type: array
3379 items:
3380 type: string
3381 topologyKey:
3382 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
3383 type: string
3384 podAntiAffinity:
3385 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
3386 type: object
3387 properties:
3388 preferredDuringSchedulingIgnoredDuringExecution:
3389 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
3390 type: array
3391 items:
3392 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
3393 type: object
3394 required:
3395 - podAffinityTerm
3396 - weight
3397 properties:
3398 podAffinityTerm:
3399 description: Required. A pod affinity term, associated with the corresponding weight.
3400 type: object
3401 required:
3402 - topologyKey
3403 properties:
3404 labelSelector:
3405 description: A label query over a set of resources, in this case pods.
3406 type: object
3407 properties:
3408 matchExpressions:
3409 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3410 type: array
3411 items:
3412 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3413 type: object
3414 required:
3415 - key
3416 - operator
3417 properties:
3418 key:
3419 description: key is the label key that the selector applies to.
3420 type: string
3421 operator:
3422 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3423 type: string
3424 values:
3425 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3426 type: array
3427 items:
3428 type: string
3429 matchLabels:
3430 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3431 type: object
3432 additionalProperties:
3433 type: string
3434 x-kubernetes-map-type: atomic
3435 namespaceSelector:
3436 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
3437 type: object
3438 properties:
3439 matchExpressions:
3440 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3441 type: array
3442 items:
3443 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3444 type: object
3445 required:
3446 - key
3447 - operator
3448 properties:
3449 key:
3450 description: key is the label key that the selector applies to.
3451 type: string
3452 operator:
3453 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3454 type: string
3455 values:
3456 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3457 type: array
3458 items:
3459 type: string
3460 matchLabels:
3461 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3462 type: object
3463 additionalProperties:
3464 type: string
3465 x-kubernetes-map-type: atomic
3466 namespaces:
3467 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
3468 type: array
3469 items:
3470 type: string
3471 topologyKey:
3472 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
3473 type: string
3474 weight:
3475 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
3476 type: integer
3477 format: int32
3478 requiredDuringSchedulingIgnoredDuringExecution:
3479 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
3480 type: array
3481 items:
3482 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
3483 type: object
3484 required:
3485 - topologyKey
3486 properties:
3487 labelSelector:
3488 description: A label query over a set of resources, in this case pods.
3489 type: object
3490 properties:
3491 matchExpressions:
3492 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3493 type: array
3494 items:
3495 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3496 type: object
3497 required:
3498 - key
3499 - operator
3500 properties:
3501 key:
3502 description: key is the label key that the selector applies to.
3503 type: string
3504 operator:
3505 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3506 type: string
3507 values:
3508 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3509 type: array
3510 items:
3511 type: string
3512 matchLabels:
3513 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3514 type: object
3515 additionalProperties:
3516 type: string
3517 x-kubernetes-map-type: atomic
3518 namespaceSelector:
3519 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
3520 type: object
3521 properties:
3522 matchExpressions:
3523 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3524 type: array
3525 items:
3526 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3527 type: object
3528 required:
3529 - key
3530 - operator
3531 properties:
3532 key:
3533 description: key is the label key that the selector applies to.
3534 type: string
3535 operator:
3536 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3537 type: string
3538 values:
3539 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3540 type: array
3541 items:
3542 type: string
3543 matchLabels:
3544 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3545 type: object
3546 additionalProperties:
3547 type: string
3548 x-kubernetes-map-type: atomic
3549 namespaces:
3550 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
3551 type: array
3552 items:
3553 type: string
3554 topologyKey:
3555 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
3556 type: string
3557 nodeSelector:
3558 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
3559 type: object
3560 additionalProperties:
3561 type: string
3562 priorityClassName:
3563 description: If specified, the pod's priorityClassName.
3564 type: string
3565 serviceAccountName:
3566 description: If specified, the pod's service account
3567 type: string
3568 tolerations:
3569 description: If specified, the pod's tolerations.
3570 type: array
3571 items:
3572 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
3573 type: object
3574 properties:
3575 effect:
3576 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
3577 type: string
3578 key:
3579 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
3580 type: string
3581 operator:
3582 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
3583 type: string
3584 tolerationSeconds:
3585 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
3586 type: integer
3587 format: int64
3588 value:
3589 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
3590 type: string
3591 serviceType:
3592 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
3593 type: string
3594 selector:
3595 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
3596 type: object
3597 properties:
3598 dnsNames:
3599 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
3600 type: array
3601 items:
3602 type: string
3603 dnsZones:
3604 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
3605 type: array
3606 items:
3607 type: string
3608 matchLabels:
3609 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
3610 type: object
3611 additionalProperties:
3612 type: string
3613 ca:
3614 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
3615 type: object
3616 required:
3617 - secretName
3618 properties:
3619 crlDistributionPoints:
3620 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
3621 type: array
3622 items:
3623 type: string
3624 ocspServers:
3625 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
3626 type: array
3627 items:
3628 type: string
3629 secretName:
3630 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
3631 type: string
3632 selfSigned:
3633 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
3634 type: object
3635 properties:
3636 crlDistributionPoints:
3637 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
3638 type: array
3639 items:
3640 type: string
3641 vault:
3642 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
3643 type: object
3644 required:
3645 - auth
3646 - path
3647 - server
3648 properties:
3649 auth:
3650 description: Auth configures how cert-manager authenticates with the Vault server.
3651 type: object
3652 properties:
3653 appRole:
3654 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
3655 type: object
3656 required:
3657 - path
3658 - roleId
3659 - secretRef
3660 properties:
3661 path:
3662 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
3663 type: string
3664 roleId:
3665 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
3666 type: string
3667 secretRef:
3668 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
3669 type: object
3670 required:
3671 - name
3672 properties:
3673 key:
3674 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3675 type: string
3676 name:
3677 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3678 type: string
3679 kubernetes:
3680 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
3681 type: object
3682 required:
3683 - role
3684 - secretRef
3685 properties:
3686 mountPath:
3687 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
3688 type: string
3689 role:
3690 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
3691 type: string
3692 secretRef:
3693 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
3694 type: object
3695 required:
3696 - name
3697 properties:
3698 key:
3699 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3700 type: string
3701 name:
3702 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3703 type: string
3704 tokenSecretRef:
3705 description: TokenSecretRef authenticates with Vault by presenting a token.
3706 type: object
3707 required:
3708 - name
3709 properties:
3710 key:
3711 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3712 type: string
3713 name:
3714 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3715 type: string
3716 caBundle:
3717 description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by Vault. Only used if using HTTPS to connect to Vault and ignored for HTTP connections. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection.
3718 type: string
3719 format: byte
3720 caBundleSecretRef:
3721 description: Reference to a Secret containing a bundle of PEM-encoded CAs to use when verifying the certificate chain presented by Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
3722 type: object
3723 required:
3724 - name
3725 properties:
3726 key:
3727 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3728 type: string
3729 name:
3730 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3731 type: string
3732 namespace:
3733 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
3734 type: string
3735 path:
3736 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
3737 type: string
3738 server:
3739 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
3740 type: string
3741 venafi:
3742 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
3743 type: object
3744 required:
3745 - zone
3746 properties:
3747 cloud:
3748 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
3749 type: object
3750 required:
3751 - apiTokenSecretRef
3752 properties:
3753 apiTokenSecretRef:
3754 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
3755 type: object
3756 required:
3757 - name
3758 properties:
3759 key:
3760 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3761 type: string
3762 name:
3763 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3764 type: string
3765 url:
3766 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
3767 type: string
3768 tpp:
3769 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
3770 type: object
3771 required:
3772 - credentialsRef
3773 - url
3774 properties:
3775 caBundle:
3776 description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. If undefined, the certificate bundle in the cert-manager controller container is used to validate the chain.
3777 type: string
3778 format: byte
3779 credentialsRef:
3780 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
3781 type: object
3782 required:
3783 - name
3784 properties:
3785 name:
3786 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3787 type: string
3788 url:
3789 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
3790 type: string
3791 zone:
3792 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
3793 type: string
3794 status:
3795 description: Status of the Issuer. This is set and managed automatically.
3796 type: object
3797 properties:
3798 acme:
3799 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
3800 type: object
3801 properties:
3802 lastRegisteredEmail:
3803 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
3804 type: string
3805 uri:
3806 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
3807 type: string
3808 conditions:
3809 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
3810 type: array
3811 items:
3812 description: IssuerCondition contains condition information for an Issuer.
3813 type: object
3814 required:
3815 - status
3816 - type
3817 properties:
3818 lastTransitionTime:
3819 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
3820 type: string
3821 format: date-time
3822 message:
3823 description: Message is a human readable description of the details of the last transition, complementing reason.
3824 type: string
3825 observedGeneration:
3826 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
3827 type: integer
3828 format: int64
3829 reason:
3830 description: Reason is a brief machine readable explanation for the condition's last transition.
3831 type: string
3832 status:
3833 description: Status of the condition, one of (`True`, `False`, `Unknown`).
3834 type: string
3835 enum:
3836 - "True"
3837 - "False"
3838 - Unknown
3839 type:
3840 description: Type of the condition, known values are (`Ready`).
3841 type: string
3842 x-kubernetes-list-map-keys:
3843 - type
3844 x-kubernetes-list-type: map
3845 served: true
3846 storage: true
3847---
3848apiVersion: apiextensions.k8s.io/v1
3849kind: CustomResourceDefinition
3850metadata:
3851 name: certificates.cert-manager.io
3852 labels:
3853 app: '{{ template "cert-manager.name" . }}'
3854 app.kubernetes.io/name: '{{ template "cert-manager.name" . }}'
3855 app.kubernetes.io/instance: '{{ .Release.Name }}'
3856 # Generated labels {{- include "labels" . | nindent 4 }}
3857spec:
3858 group: cert-manager.io
3859 names:
3860 kind: Certificate
3861 listKind: CertificateList
3862 plural: certificates
3863 shortNames:
3864 - cert
3865 - certs
3866 singular: certificate
3867 categories:
3868 - cert-manager
3869 scope: Namespaced
3870 versions:
3871 - name: v1
3872 subresources:
3873 status: {}
3874 additionalPrinterColumns:
3875 - jsonPath: .status.conditions[?(@.type=="Ready")].status
3876 name: Ready
3877 type: string
3878 - jsonPath: .spec.secretName
3879 name: Secret
3880 type: string
3881 - jsonPath: .spec.issuerRef.name
3882 name: Issuer
3883 priority: 1
3884 type: string
3885 - jsonPath: .status.conditions[?(@.type=="Ready")].message
3886 name: Status
3887 priority: 1
3888 type: string
3889 - jsonPath: .metadata.creationTimestamp
3890 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
3891 name: Age
3892 type: date
3893 schema:
3894 openAPIV3Schema:
3895 description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)."
3896 type: object
3897 required:
3898 - spec
3899 properties:
3900 apiVersion:
3901 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
3902 type: string
3903 kind:
3904 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
3905 type: string
3906 metadata:
3907 type: object
3908 spec:
3909 description: Desired state of the Certificate resource.
3910 type: object
3911 required:
3912 - issuerRef
3913 - secretName
3914 properties:
3915 additionalOutputFormats:
3916 description: AdditionalOutputFormats defines extra output formats of the private key and signed certificate chain to be written to this Certificate's target Secret. This is an Alpha Feature and is only enabled with the `--feature-gates=AdditionalCertificateOutputFormats=true` option on both the controller and webhook components.
3917 type: array
3918 items:
3919 description: CertificateAdditionalOutputFormat defines an additional output format of a Certificate resource. These contain supplementary data formats of the signed certificate chain and paired private key.
3920 type: object
3921 required:
3922 - type
3923 properties:
3924 type:
3925 description: Type is the name of the format type that should be written to the Certificate's target Secret.
3926 type: string
3927 enum:
3928 - DER
3929 - CombinedPEM
3930 commonName:
3931 description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
3932 type: string
3933 dnsNames:
3934 description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate.
3935 type: array
3936 items:
3937 type: string
3938 duration:
3939 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
3940 type: string
3941 emailAddresses:
3942 description: EmailAddresses is a list of email subjectAltNames to be set on the Certificate.
3943 type: array
3944 items:
3945 type: string
3946 encodeUsagesInRequest:
3947 description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest
3948 type: boolean
3949 ipAddresses:
3950 description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
3951 type: array
3952 items:
3953 type: string
3954 isCA:
3955 description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`.
3956 type: boolean
3957 issuerRef:
3958 description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times.
3959 type: object
3960 required:
3961 - name
3962 properties:
3963 group:
3964 description: Group of the resource being referred to.
3965 type: string
3966 kind:
3967 description: Kind of the resource being referred to.
3968 type: string
3969 name:
3970 description: Name of the resource being referred to.
3971 type: string
3972 keystores:
3973 description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource.
3974 type: object
3975 properties:
3976 jks:
3977 description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource.
3978 type: object
3979 required:
3980 - create
3981 - passwordSecretRef
3982 properties:
3983 create:
3984 description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will be updated immediately. A file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority
3985 type: boolean
3986 passwordSecretRef:
3987 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore.
3988 type: object
3989 required:
3990 - name
3991 properties:
3992 key:
3993 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3994 type: string
3995 name:
3996 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3997 type: string
3998 pkcs12:
3999 description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource.
4000 type: object
4001 required:
4002 - create
4003 - passwordSecretRef
4004 properties:
4005 create:
4006 description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will be updated immediately. A file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority
4007 type: boolean
4008 passwordSecretRef:
4009 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore.
4010 type: object
4011 required:
4012 - name
4013 properties:
4014 key:
4015 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4016 type: string
4017 name:
4018 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4019 type: string
4020 literalSubject:
4021 description: LiteralSubject is an LDAP formatted string that represents the [X.509 Subject field](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6). Use this *instead* of the Subject field if you need to ensure the correct ordering of the RDN sequence, such as when issuing certs for LDAP authentication. See https://github.com/cert-manager/cert-manager/issues/3203, https://github.com/cert-manager/cert-manager/issues/4424. This field is alpha level and is only supported by cert-manager installations where LiteralCertificateSubject feature gate is enabled on both cert-manager controller and webhook.
4022 type: string
4023 privateKey:
4024 description: Options to control private keys used for the Certificate.
4025 type: object
4026 properties:
4027 algorithm:
4028 description: Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified and `size` is not provided, key size of 256 will be used for `ECDSA` key algorithm and key size of 2048 will be used for `RSA` key algorithm. key size is ignored when using the `Ed25519` key algorithm.
4029 type: string
4030 enum:
4031 - RSA
4032 - ECDSA
4033 - Ed25519
4034 encoding:
4035 description: The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified.
4036 type: string
4037 enum:
4038 - PKCS1
4039 - PKCS8
4040 rotationPolicy:
4041 description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility.
4042 type: string
4043 enum:
4044 - Never
4045 - Always
4046 size:
4047 description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed.
4048 type: integer
4049 renewBefore:
4050 description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
4051 type: string
4052 revisionHistoryLimit:
4053 description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`.
4054 type: integer
4055 format: int32
4056 secretName:
4057 description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer.
4058 type: string
4059 secretTemplate:
4060 description: SecretTemplate defines annotations and labels to be copied to the Certificate's Secret. Labels and annotations on the Secret will be changed as they appear on the SecretTemplate when added or removed. SecretTemplate annotations are added in conjunction with, and cannot overwrite, the base set of annotations cert-manager sets on the Certificate's Secret.
4061 type: object
4062 properties:
4063 annotations:
4064 description: Annotations is a key value map to be copied to the target Kubernetes Secret.
4065 type: object
4066 additionalProperties:
4067 type: string
4068 labels:
4069 description: Labels is a key value map to be copied to the target Kubernetes Secret.
4070 type: object
4071 additionalProperties:
4072 type: string
4073 subject:
4074 description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
4075 type: object
4076 properties:
4077 countries:
4078 description: Countries to be used on the Certificate.
4079 type: array
4080 items:
4081 type: string
4082 localities:
4083 description: Cities to be used on the Certificate.
4084 type: array
4085 items:
4086 type: string
4087 organizationalUnits:
4088 description: Organizational Units to be used on the Certificate.
4089 type: array
4090 items:
4091 type: string
4092 organizations:
4093 description: Organizations to be used on the Certificate.
4094 type: array
4095 items:
4096 type: string
4097 postalCodes:
4098 description: Postal codes to be used on the Certificate.
4099 type: array
4100 items:
4101 type: string
4102 provinces:
4103 description: State/Provinces to be used on the Certificate.
4104 type: array
4105 items:
4106 type: string
4107 serialNumber:
4108 description: Serial number to be used on the Certificate.
4109 type: string
4110 streetAddresses:
4111 description: Street addresses to be used on the Certificate.
4112 type: array
4113 items:
4114 type: string
4115 uris:
4116 description: URIs is a list of URI subjectAltNames to be set on the Certificate.
4117 type: array
4118 items:
4119 type: string
4120 usages:
4121 description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
4122 type: array
4123 items:
4124 description: "KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 \n Valid KeyUsage values are as follows: \"signing\", \"digital signature\", \"content commitment\", \"key encipherment\", \"key agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", \"encipher only\", \"decipher only\", \"any\", \"server auth\", \"client auth\", \"code signing\", \"email protection\", \"s/mime\", \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\""
4125 type: string
4126 enum:
4127 - signing
4128 - digital signature
4129 - content commitment
4130 - key encipherment
4131 - key agreement
4132 - data encipherment
4133 - cert sign
4134 - crl sign
4135 - encipher only
4136 - decipher only
4137 - any
4138 - server auth
4139 - client auth
4140 - code signing
4141 - email protection
4142 - s/mime
4143 - ipsec end system
4144 - ipsec tunnel
4145 - ipsec user
4146 - timestamping
4147 - ocsp signing
4148 - microsoft sgc
4149 - netscape sgc
4150 status:
4151 description: Status of the Certificate. This is set and managed automatically.
4152 type: object
4153 properties:
4154 conditions:
4155 description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`.
4156 type: array
4157 items:
4158 description: CertificateCondition contains condition information for an Certificate.
4159 type: object
4160 required:
4161 - status
4162 - type
4163 properties:
4164 lastTransitionTime:
4165 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
4166 type: string
4167 format: date-time
4168 message:
4169 description: Message is a human readable description of the details of the last transition, complementing reason.
4170 type: string
4171 observedGeneration:
4172 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate.
4173 type: integer
4174 format: int64
4175 reason:
4176 description: Reason is a brief machine readable explanation for the condition's last transition.
4177 type: string
4178 status:
4179 description: Status of the condition, one of (`True`, `False`, `Unknown`).
4180 type: string
4181 enum:
4182 - "True"
4183 - "False"
4184 - Unknown
4185 type:
4186 description: Type of the condition, known values are (`Ready`, `Issuing`).
4187 type: string
4188 x-kubernetes-list-map-keys:
4189 - type
4190 x-kubernetes-list-type: map
4191 failedIssuanceAttempts:
4192 description: The number of continuous failed issuance attempts up till now. This field gets removed (if set) on a successful issuance and gets set to 1 if unset and an issuance has failed. If an issuance has failed, the delay till the next issuance will be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1).
4193 type: integer
4194 lastFailureTime:
4195 description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time.
4196 type: string
4197 format: date-time
4198 nextPrivateKeySecretName:
4199 description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False.
4200 type: string
4201 notAfter:
4202 description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`.
4203 type: string
4204 format: date-time
4205 notBefore:
4206 description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid.
4207 type: string
4208 format: date-time
4209 renewalTime:
4210 description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled.
4211 type: string
4212 format: date-time
4213 revision:
4214 description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field."
4215 type: integer
4216 served: true
4217 storage: true
4218---
4219apiVersion: apiextensions.k8s.io/v1
4220kind: CustomResourceDefinition
4221metadata:
4222 name: orders.acme.cert-manager.io
4223 labels:
4224 app: '{{ template "cert-manager.name" . }}'
4225 app.kubernetes.io/name: '{{ template "cert-manager.name" . }}'
4226 app.kubernetes.io/instance: '{{ .Release.Name }}'
4227 # Generated labels {{- include "labels" . | nindent 4 }}
4228spec:
4229 group: acme.cert-manager.io
4230 names:
4231 kind: Order
4232 listKind: OrderList
4233 plural: orders
4234 singular: order
4235 categories:
4236 - cert-manager
4237 - cert-manager-acme
4238 scope: Namespaced
4239 versions:
4240 - name: v1
4241 subresources:
4242 status: {}
4243 additionalPrinterColumns:
4244 - jsonPath: .status.state
4245 name: State
4246 type: string
4247 - jsonPath: .spec.issuerRef.name
4248 name: Issuer
4249 priority: 1
4250 type: string
4251 - jsonPath: .status.reason
4252 name: Reason
4253 priority: 1
4254 type: string
4255 - jsonPath: .metadata.creationTimestamp
4256 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
4257 name: Age
4258 type: date
4259 schema:
4260 openAPIV3Schema:
4261 description: Order is a type to represent an Order with an ACME server
4262 type: object
4263 required:
4264 - metadata
4265 - spec
4266 properties:
4267 apiVersion:
4268 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
4269 type: string
4270 kind:
4271 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
4272 type: string
4273 metadata:
4274 type: object
4275 spec:
4276 type: object
4277 required:
4278 - issuerRef
4279 - request
4280 properties:
4281 commonName:
4282 description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
4283 type: string
4284 dnsNames:
4285 description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
4286 type: array
4287 items:
4288 type: string
4289 duration:
4290 description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
4291 type: string
4292 ipAddresses:
4293 description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
4294 type: array
4295 items:
4296 type: string
4297 issuerRef:
4298 description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
4299 type: object
4300 required:
4301 - name
4302 properties:
4303 group:
4304 description: Group of the resource being referred to.
4305 type: string
4306 kind:
4307 description: Kind of the resource being referred to.
4308 type: string
4309 name:
4310 description: Name of the resource being referred to.
4311 type: string
4312 request:
4313 description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
4314 type: string
4315 format: byte
4316 status:
4317 type: object
4318 properties:
4319 authorizations:
4320 description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.
4321 type: array
4322 items:
4323 description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
4324 type: object
4325 required:
4326 - url
4327 properties:
4328 challenges:
4329 description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
4330 type: array
4331 items:
4332 description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
4333 type: object
4334 required:
4335 - token
4336 - type
4337 - url
4338 properties:
4339 token:
4340 description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
4341 type: string
4342 type:
4343 description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.
4344 type: string
4345 url:
4346 description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
4347 type: string
4348 identifier:
4349 description: Identifier is the DNS name to be validated as part of this authorization
4350 type: string
4351 initialState:
4352 description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.
4353 type: string
4354 enum:
4355 - valid
4356 - ready
4357 - pending
4358 - processing
4359 - invalid
4360 - expired
4361 - errored
4362 url:
4363 description: URL is the URL of the Authorization that must be completed
4364 type: string
4365 wildcard:
4366 description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
4367 type: boolean
4368 certificate:
4369 description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
4370 type: string
4371 format: byte
4372 failureTime:
4373 description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
4374 type: string
4375 format: date-time
4376 finalizeURL:
4377 description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
4378 type: string
4379 reason:
4380 description: Reason optionally provides more information about a why the order is in the current state.
4381 type: string
4382 state:
4383 description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
4384 type: string
4385 enum:
4386 - valid
4387 - ready
4388 - pending
4389 - processing
4390 - invalid
4391 - expired
4392 - errored
4393 url:
4394 description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
4395 type: string
4396 served: true
4397 storage: true
4398{{- end }}