Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / 2ea922e57ce80e197c46f33272b86b18fb7416da / . / charts / cert-manager / templates / crds.yaml
blob: f3d22af933e5e4b94ad106851ae6a4eb2bd43f29 [file] [log] [blame]
Mohammed Naser9ad0d462023-01-15 20:36:37 -0500[diff] [blame]1{{- if .Values.installCRDs }}
2apiVersion: apiextensions.k8s.io/v1
3kind: CustomResourceDefinition
4metadata:
5 name: certificaterequests.cert-manager.io
6 annotations:
7 cert-manager.io/inject-ca-from-secret: '{{ template "webhook.caRef" . }}'
8 labels:
9 app: '{{ template "cert-manager.name" . }}'
10 app.kubernetes.io/name: '{{ template "cert-manager.name" . }}'
11 app.kubernetes.io/instance: '{{ .Release.Name }}'
12 # Generated labels {{- include "labels" . | nindent 4 }}
13spec:
14 group: cert-manager.io
15 names:
16 kind: CertificateRequest
17 listKind: CertificateRequestList
18 plural: certificaterequests
19 shortNames:
20 - cr
21 - crs
22 singular: certificaterequest
23 categories:
24 - cert-manager
25 scope: Namespaced
26 versions:
27 - name: v1
28 subresources:
29 status: {}
30 additionalPrinterColumns:
31 - jsonPath: .status.conditions[?(@.type=="Approved")].status
32 name: Approved
33 type: string
34 - jsonPath: .status.conditions[?(@.type=="Denied")].status
35 name: Denied
36 type: string
37 - jsonPath: .status.conditions[?(@.type=="Ready")].status
38 name: Ready
39 type: string
40 - jsonPath: .spec.issuerRef.name
41 name: Issuer
42 type: string
43 - jsonPath: .spec.username
44 name: Requestor
45 type: string
46 - jsonPath: .status.conditions[?(@.type=="Ready")].message
47 name: Status
48 priority: 1
49 type: string
50 - jsonPath: .metadata.creationTimestamp
51 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
52 name: Age
53 type: date
54 schema:
55 openAPIV3Schema:
56 description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used."
57 type: object
58 required:
59 - spec
60 properties:
61 apiVersion:
62 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
63 type: string
64 kind:
65 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
66 type: string
67 metadata:
68 type: object
69 spec:
70 description: Desired state of the CertificateRequest resource.
71 type: object
72 required:
73 - issuerRef
74 - request
75 properties:
76 duration:
77 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types.
78 type: string
79 extra:
80 description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
81 type: object
82 additionalProperties:
83 type: array
84 items:
85 type: string
86 groups:
87 description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
88 type: array
89 items:
90 type: string
91 x-kubernetes-list-type: atomic
92 isCA:
93 description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`.
94 type: boolean
95 issuerRef:
96 description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty.
97 type: object
98 required:
99 - name
100 properties:
101 group:
102 description: Group of the resource being referred to.
103 type: string
104 kind:
105 description: Kind of the resource being referred to.
106 type: string
107 name:
108 description: Name of the resource being referred to.
109 type: string
110 request:
111 description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing.
112 type: string
113 format: byte
114 uid:
115 description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
116 type: string
117 usages:
118 description: Usages is the set of x509 usages that are requested for the certificate. If usages are set they SHOULD be encoded inside the CSR spec Defaults to `digital signature` and `key encipherment` if not specified.
119 type: array
120 items:
121 description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
122 type: string
123 enum:
124 - signing
125 - digital signature
126 - content commitment
127 - key encipherment
128 - key agreement
129 - data encipherment
130 - cert sign
131 - crl sign
132 - encipher only
133 - decipher only
134 - any
135 - server auth
136 - client auth
137 - code signing
138 - email protection
139 - s/mime
140 - ipsec end system
141 - ipsec tunnel
142 - ipsec user
143 - timestamping
144 - ocsp signing
145 - microsoft sgc
146 - netscape sgc
147 username:
148 description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
149 type: string
150 status:
151 description: Status of the CertificateRequest. This is set and managed automatically.
152 type: object
153 properties:
154 ca:
155 description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.
156 type: string
157 format: byte
158 certificate:
159 description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.
160 type: string
161 format: byte
162 conditions:
163 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
164 type: array
165 items:
166 description: CertificateRequestCondition contains condition information for a CertificateRequest.
167 type: object
168 required:
169 - status
170 - type
171 properties:
172 lastTransitionTime:
173 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
174 type: string
175 format: date-time
176 message:
177 description: Message is a human readable description of the details of the last transition, complementing reason.
178 type: string
179 reason:
180 description: Reason is a brief machine readable explanation for the condition's last transition.
181 type: string
182 status:
183 description: Status of the condition, one of (`True`, `False`, `Unknown`).
184 type: string
185 enum:
186 - "True"
187 - "False"
188 - Unknown
189 type:
190 description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
191 type: string
192 failureTime:
193 description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
194 type: string
195 format: date-time
196 served: true
197 storage: true
198---
199apiVersion: apiextensions.k8s.io/v1
200kind: CustomResourceDefinition
201metadata:
202 name: certificates.cert-manager.io
203 annotations:
204 cert-manager.io/inject-ca-from-secret: '{{ template "webhook.caRef" . }}'
205 labels:
206 app: '{{ template "cert-manager.name" . }}'
207 app.kubernetes.io/name: '{{ template "cert-manager.name" . }}'
208 app.kubernetes.io/instance: '{{ .Release.Name }}'
209 # Generated labels {{- include "labels" . | nindent 4 }}
210spec:
211 group: cert-manager.io
212 names:
213 kind: Certificate
214 listKind: CertificateList
215 plural: certificates
216 shortNames:
217 - cert
218 - certs
219 singular: certificate
220 categories:
221 - cert-manager
222 scope: Namespaced
223 versions:
224 - name: v1
225 subresources:
226 status: {}
227 additionalPrinterColumns:
228 - jsonPath: .status.conditions[?(@.type=="Ready")].status
229 name: Ready
230 type: string
231 - jsonPath: .spec.secretName
232 name: Secret
233 type: string
234 - jsonPath: .spec.issuerRef.name
235 name: Issuer
236 priority: 1
237 type: string
238 - jsonPath: .status.conditions[?(@.type=="Ready")].message
239 name: Status
240 priority: 1
241 type: string
242 - jsonPath: .metadata.creationTimestamp
243 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
244 name: Age
245 type: date
246 schema:
247 openAPIV3Schema:
248 description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)."
249 type: object
250 required:
251 - spec
252 properties:
253 apiVersion:
254 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
255 type: string
256 kind:
257 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
258 type: string
259 metadata:
260 type: object
261 spec:
262 description: Desired state of the Certificate resource.
263 type: object
264 required:
265 - issuerRef
266 - secretName
267 properties:
268 additionalOutputFormats:
269 description: AdditionalOutputFormats defines extra output formats of the private key and signed certificate chain to be written to this Certificate's target Secret. This is an Alpha Feature and is only enabled with the `--feature-gates=AdditionalCertificateOutputFormats=true` option on both the controller and webhook components.
270 type: array
271 items:
272 description: CertificateAdditionalOutputFormat defines an additional output format of a Certificate resource. These contain supplementary data formats of the signed certificate chain and paired private key.
273 type: object
274 required:
275 - type
276 properties:
277 type:
278 description: Type is the name of the format type that should be written to the Certificate's target Secret.
279 type: string
280 enum:
281 - DER
282 - CombinedPEM
283 commonName:
284 description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
285 type: string
286 dnsNames:
287 description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate.
288 type: array
289 items:
290 type: string
291 duration:
292 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
293 type: string
294 emailAddresses:
295 description: EmailAddresses is a list of email subjectAltNames to be set on the Certificate.
296 type: array
297 items:
298 type: string
299 encodeUsagesInRequest:
300 description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest
301 type: boolean
302 ipAddresses:
303 description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
304 type: array
305 items:
306 type: string
307 isCA:
308 description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`.
309 type: boolean
310 issuerRef:
311 description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times.
312 type: object
313 required:
314 - name
315 properties:
316 group:
317 description: Group of the resource being referred to.
318 type: string
319 kind:
320 description: Kind of the resource being referred to.
321 type: string
322 name:
323 description: Name of the resource being referred to.
324 type: string
325 keystores:
326 description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource.
327 type: object
328 properties:
329 jks:
330 description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource.
331 type: object
332 required:
333 - create
334 - passwordSecretRef
335 properties:
336 create:
337 description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority
338 type: boolean
339 passwordSecretRef:
340 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore.
341 type: object
342 required:
343 - name
344 properties:
345 key:
346 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
347 type: string
348 name:
349 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
350 type: string
351 pkcs12:
352 description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource.
353 type: object
354 required:
355 - create
356 - passwordSecretRef
357 properties:
358 create:
359 description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority
360 type: boolean
361 passwordSecretRef:
362 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore.
363 type: object
364 required:
365 - name
366 properties:
367 key:
368 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
369 type: string
370 name:
371 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
372 type: string
373 privateKey:
374 description: Options to control private keys used for the Certificate.
375 type: object
376 properties:
377 algorithm:
378 description: Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified and `size` is not provided, key size of 256 will be used for `ECDSA` key algorithm and key size of 2048 will be used for `RSA` key algorithm. key size is ignored when using the `Ed25519` key algorithm.
379 type: string
380 enum:
381 - RSA
382 - ECDSA
383 - Ed25519
384 encoding:
385 description: The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified.
386 type: string
387 enum:
388 - PKCS1
389 - PKCS8
390 rotationPolicy:
391 description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility.
392 type: string
393 size:
394 description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed.
395 type: integer
396 renewBefore:
397 description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
398 type: string
399 revisionHistoryLimit:
400 description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`.
401 type: integer
402 format: int32
403 secretName:
404 description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer.
405 type: string
406 secretTemplate:
407 description: SecretTemplate defines annotations and labels to be copied to the Certificate's Secret. Labels and annotations on the Secret will be changed as they appear on the SecretTemplate when added or removed. SecretTemplate annotations are added in conjunction with, and cannot overwrite, the base set of annotations cert-manager sets on the Certificate's Secret.
408 type: object
409 properties:
410 annotations:
411 description: Annotations is a key value map to be copied to the target Kubernetes Secret.
412 type: object
413 additionalProperties:
414 type: string
415 labels:
416 description: Labels is a key value map to be copied to the target Kubernetes Secret.
417 type: object
418 additionalProperties:
419 type: string
420 subject:
421 description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
422 type: object
423 properties:
424 countries:
425 description: Countries to be used on the Certificate.
426 type: array
427 items:
428 type: string
429 localities:
430 description: Cities to be used on the Certificate.
431 type: array
432 items:
433 type: string
434 organizationalUnits:
435 description: Organizational Units to be used on the Certificate.
436 type: array
437 items:
438 type: string
439 organizations:
440 description: Organizations to be used on the Certificate.
441 type: array
442 items:
443 type: string
444 postalCodes:
445 description: Postal codes to be used on the Certificate.
446 type: array
447 items:
448 type: string
449 provinces:
450 description: State/Provinces to be used on the Certificate.
451 type: array
452 items:
453 type: string
454 serialNumber:
455 description: Serial number to be used on the Certificate.
456 type: string
457 streetAddresses:
458 description: Street addresses to be used on the Certificate.
459 type: array
460 items:
461 type: string
462 uris:
463 description: URIs is a list of URI subjectAltNames to be set on the Certificate.
464 type: array
465 items:
466 type: string
467 usages:
468 description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
469 type: array
470 items:
471 description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
472 type: string
473 enum:
474 - signing
475 - digital signature
476 - content commitment
477 - key encipherment
478 - key agreement
479 - data encipherment
480 - cert sign
481 - crl sign
482 - encipher only
483 - decipher only
484 - any
485 - server auth
486 - client auth
487 - code signing
488 - email protection
489 - s/mime
490 - ipsec end system
491 - ipsec tunnel
492 - ipsec user
493 - timestamping
494 - ocsp signing
495 - microsoft sgc
496 - netscape sgc
497 status:
498 description: Status of the Certificate. This is set and managed automatically.
499 type: object
500 properties:
501 conditions:
502 description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`.
503 type: array
504 items:
505 description: CertificateCondition contains condition information for an Certificate.
506 type: object
507 required:
508 - status
509 - type
510 properties:
511 lastTransitionTime:
512 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
513 type: string
514 format: date-time
515 message:
516 description: Message is a human readable description of the details of the last transition, complementing reason.
517 type: string
518 observedGeneration:
519 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate.
520 type: integer
521 format: int64
522 reason:
523 description: Reason is a brief machine readable explanation for the condition's last transition.
524 type: string
525 status:
526 description: Status of the condition, one of (`True`, `False`, `Unknown`).
527 type: string
528 enum:
529 - "True"
530 - "False"
531 - Unknown
532 type:
533 description: Type of the condition, known values are (`Ready`, `Issuing`).
534 type: string
535 lastFailureTime:
536 description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time.
537 type: string
538 format: date-time
539 nextPrivateKeySecretName:
540 description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False.
541 type: string
542 notAfter:
543 description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`.
544 type: string
545 format: date-time
546 notBefore:
547 description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid.
548 type: string
549 format: date-time
550 renewalTime:
551 description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled.
552 type: string
553 format: date-time
554 revision:
555 description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field."
556 type: integer
557 served: true
558 storage: true
559---
560apiVersion: apiextensions.k8s.io/v1
561kind: CustomResourceDefinition
562metadata:
563 name: challenges.acme.cert-manager.io
564 annotations:
565 cert-manager.io/inject-ca-from-secret: '{{ template "webhook.caRef" . }}'
566 labels:
567 app: '{{ template "cert-manager.name" . }}'
568 app.kubernetes.io/name: '{{ template "cert-manager.name" . }}'
569 app.kubernetes.io/instance: '{{ .Release.Name }}'
570 # Generated labels {{- include "labels" . | nindent 4 }}
571spec:
572 group: acme.cert-manager.io
573 names:
574 kind: Challenge
575 listKind: ChallengeList
576 plural: challenges
577 singular: challenge
578 categories:
579 - cert-manager
580 - cert-manager-acme
581 scope: Namespaced
582 versions:
583 - additionalPrinterColumns:
584 - jsonPath: .status.state
585 name: State
586 type: string
587 - jsonPath: .spec.dnsName
588 name: Domain
589 type: string
590 - jsonPath: .status.reason
591 name: Reason
592 priority: 1
593 type: string
594 - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
595 jsonPath: .metadata.creationTimestamp
596 name: Age
597 type: date
598 name: v1
599 schema:
600 openAPIV3Schema:
601 description: Challenge is a type to represent a Challenge request with an ACME server
602 type: object
603 required:
604 - metadata
605 - spec
606 properties:
607 apiVersion:
608 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
609 type: string
610 kind:
611 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
612 type: string
613 metadata:
614 type: object
615 spec:
616 type: object
617 required:
618 - authorizationURL
619 - dnsName
620 - issuerRef
621 - key
622 - solver
623 - token
624 - type
625 - url
626 properties:
627 authorizationURL:
628 description: The URL to the ACME Authorization resource that this challenge is a part of.
629 type: string
630 dnsName:
631 description: dnsName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
632 type: string
633 issuerRef:
634 description: References a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed.
635 type: object
636 required:
637 - name
638 properties:
639 group:
640 description: Group of the resource being referred to.
641 type: string
642 kind:
643 description: Kind of the resource being referred to.
644 type: string
645 name:
646 description: Name of the resource being referred to.
647 type: string
648 key:
649 description: 'The ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key from acme server for challenge>`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key from acme server for challenge>` text that must be set as the TXT record content.'
650 type: string
651 solver:
652 description: Contains the domain solving configuration that should be used to solve this challenge resource.
653 type: object
654 properties:
655 dns01:
656 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
657 type: object
658 properties:
659 acmeDNS:
660 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
661 type: object
662 required:
663 - accountSecretRef
664 - host
665 properties:
666 accountSecretRef:
667 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
668 type: object
669 required:
670 - name
671 properties:
672 key:
673 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
674 type: string
675 name:
676 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
677 type: string
678 host:
679 type: string
680 akamai:
681 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
682 type: object
683 required:
684 - accessTokenSecretRef
685 - clientSecretSecretRef
686 - clientTokenSecretRef
687 - serviceConsumerDomain
688 properties:
689 accessTokenSecretRef:
690 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
691 type: object
692 required:
693 - name
694 properties:
695 key:
696 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
697 type: string
698 name:
699 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
700 type: string
701 clientSecretSecretRef:
702 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
703 type: object
704 required:
705 - name
706 properties:
707 key:
708 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
709 type: string
710 name:
711 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
712 type: string
713 clientTokenSecretRef:
714 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
715 type: object
716 required:
717 - name
718 properties:
719 key:
720 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
721 type: string
722 name:
723 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
724 type: string
725 serviceConsumerDomain:
726 type: string
727 azureDNS:
728 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
729 type: object
730 required:
731 - resourceGroupName
732 - subscriptionID
733 properties:
734 clientID:
735 description: if both this and ClientSecret are left unset MSI will be used
736 type: string
737 clientSecretSecretRef:
738 description: if both this and ClientID are left unset MSI will be used
739 type: object
740 required:
741 - name
742 properties:
743 key:
744 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
745 type: string
746 name:
747 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
748 type: string
749 environment:
750 description: name of the Azure environment (default AzurePublicCloud)
751 type: string
752 enum:
753 - AzurePublicCloud
754 - AzureChinaCloud
755 - AzureGermanCloud
756 - AzureUSGovernmentCloud
757 hostedZoneName:
758 description: name of the DNS zone that should be used
759 type: string
760 managedIdentity:
761 description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID
762 type: object
763 properties:
764 clientID:
765 description: client ID of the managed identity, can not be used at the same time as resourceID
766 type: string
767 resourceID:
768 description: resource ID of the managed identity, can not be used at the same time as clientID
769 type: string
770 resourceGroupName:
771 description: resource group the DNS zone is located in
772 type: string
773 subscriptionID:
774 description: ID of the Azure subscription
775 type: string
776 tenantID:
777 description: when specifying ClientID and ClientSecret then this field is also needed
778 type: string
779 cloudDNS:
780 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
781 type: object
782 required:
783 - project
784 properties:
785 hostedZoneName:
786 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
787 type: string
788 project:
789 type: string
790 serviceAccountSecretRef:
791 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
792 type: object
793 required:
794 - name
795 properties:
796 key:
797 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
798 type: string
799 name:
800 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
801 type: string
802 cloudflare:
803 description: Use the Cloudflare API to manage DNS01 challenge records.
804 type: object
805 properties:
806 apiKeySecretRef:
807 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
808 type: object
809 required:
810 - name
811 properties:
812 key:
813 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
814 type: string
815 name:
816 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
817 type: string
818 apiTokenSecretRef:
819 description: API token used to authenticate with Cloudflare.
820 type: object
821 required:
822 - name
823 properties:
824 key:
825 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
826 type: string
827 name:
828 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
829 type: string
830 email:
831 description: Email of the account, only required when using API key based authentication.
832 type: string
833 cnameStrategy:
834 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
835 type: string
836 enum:
837 - None
838 - Follow
839 digitalocean:
840 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
841 type: object
842 required:
843 - tokenSecretRef
844 properties:
845 tokenSecretRef:
846 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
847 type: object
848 required:
849 - name
850 properties:
851 key:
852 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
853 type: string
854 name:
855 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
856 type: string
857 rfc2136:
858 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
859 type: object
860 required:
861 - nameserver
862 properties:
863 nameserver:
864 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
865 type: string
866 tsigAlgorithm:
867 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
868 type: string
869 tsigKeyName:
870 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
871 type: string
872 tsigSecretSecretRef:
873 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
874 type: object
875 required:
876 - name
877 properties:
878 key:
879 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
880 type: string
881 name:
882 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
883 type: string
884 route53:
885 description: Use the AWS Route53 API to manage DNS01 challenge records.
886 type: object
887 required:
888 - region
889 properties:
890 accessKeyID:
891 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
892 type: string
893 hostedZoneID:
894 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
895 type: string
896 region:
897 description: Always set the region when using AccessKeyID and SecretAccessKey
898 type: string
899 role:
900 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
901 type: string
902 secretAccessKeySecretRef:
903 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
904 type: object
905 required:
906 - name
907 properties:
908 key:
909 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
910 type: string
911 name:
912 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
913 type: string
914 webhook:
915 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
916 type: object
917 required:
918 - groupName
919 - solverName
920 properties:
921 config:
922 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
923 x-kubernetes-preserve-unknown-fields: true
924 groupName:
925 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
926 type: string
927 solverName:
928 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
929 type: string
930 http01:
931 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
932 type: object
933 properties:
934 gatewayHTTPRoute:
935 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
936 type: object
937 properties:
938 labels:
939 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
940 type: object
941 additionalProperties:
942 type: string
943 serviceType:
944 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
945 type: string
946 ingress:
947 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
948 type: object
949 properties:
950 class:
951 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
952 type: string
953 ingressTemplate:
954 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
955 type: object
956 properties:
957 metadata:
958 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
959 type: object
960 properties:
961 annotations:
962 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
963 type: object
964 additionalProperties:
965 type: string
966 labels:
967 description: Labels that should be added to the created ACME HTTP01 solver ingress.
968 type: object
969 additionalProperties:
970 type: string
971 name:
972 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
973 type: string
974 podTemplate:
975 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
976 type: object
977 properties:
978 metadata:
979 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
980 type: object
981 properties:
982 annotations:
983 description: Annotations that should be added to the create ACME HTTP01 solver pods.
984 type: object
985 additionalProperties:
986 type: string
987 labels:
988 description: Labels that should be added to the created ACME HTTP01 solver pods.
989 type: object
990 additionalProperties:
991 type: string
992 spec:
993 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
994 type: object
995 properties:
996 affinity:
997 description: If specified, the pod's scheduling constraints
998 type: object
999 properties:
1000 nodeAffinity:
1001 description: Describes node affinity scheduling rules for the pod.
1002 type: object
1003 properties:
1004 preferredDuringSchedulingIgnoredDuringExecution:
1005 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
1006 type: array
1007 items:
1008 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
1009 type: object
1010 required:
1011 - preference
1012 - weight
1013 properties:
1014 preference:
1015 description: A node selector term, associated with the corresponding weight.
1016 type: object
1017 properties:
1018 matchExpressions:
1019 description: A list of node selector requirements by node's labels.
1020 type: array
1021 items:
1022 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1023 type: object
1024 required:
1025 - key
1026 - operator
1027 properties:
1028 key:
1029 description: The label key that the selector applies to.
1030 type: string
1031 operator:
1032 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
1033 type: string
1034 values:
1035 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
1036 type: array
1037 items:
1038 type: string
1039 matchFields:
1040 description: A list of node selector requirements by node's fields.
1041 type: array
1042 items:
1043 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1044 type: object
1045 required:
1046 - key
1047 - operator
1048 properties:
1049 key:
1050 description: The label key that the selector applies to.
1051 type: string
1052 operator:
1053 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
1054 type: string
1055 values:
1056 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
1057 type: array
1058 items:
1059 type: string
1060 weight:
1061 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
1062 type: integer
1063 format: int32
1064 requiredDuringSchedulingIgnoredDuringExecution:
1065 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
1066 type: object
1067 required:
1068 - nodeSelectorTerms
1069 properties:
1070 nodeSelectorTerms:
1071 description: Required. A list of node selector terms. The terms are ORed.
1072 type: array
1073 items:
1074 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
1075 type: object
1076 properties:
1077 matchExpressions:
1078 description: A list of node selector requirements by node's labels.
1079 type: array
1080 items:
1081 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1082 type: object
1083 required:
1084 - key
1085 - operator
1086 properties:
1087 key:
1088 description: The label key that the selector applies to.
1089 type: string
1090 operator:
1091 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
1092 type: string
1093 values:
1094 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
1095 type: array
1096 items:
1097 type: string
1098 matchFields:
1099 description: A list of node selector requirements by node's fields.
1100 type: array
1101 items:
1102 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1103 type: object
1104 required:
1105 - key
1106 - operator
1107 properties:
1108 key:
1109 description: The label key that the selector applies to.
1110 type: string
1111 operator:
1112 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
1113 type: string
1114 values:
1115 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
1116 type: array
1117 items:
1118 type: string
1119 podAffinity:
1120 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
1121 type: object
1122 properties:
1123 preferredDuringSchedulingIgnoredDuringExecution:
1124 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
1125 type: array
1126 items:
1127 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
1128 type: object
1129 required:
1130 - podAffinityTerm
1131 - weight
1132 properties:
1133 podAffinityTerm:
1134 description: Required. A pod affinity term, associated with the corresponding weight.
1135 type: object
1136 required:
1137 - topologyKey
1138 properties:
1139 labelSelector:
1140 description: A label query over a set of resources, in this case pods.
1141 type: object
1142 properties:
1143 matchExpressions:
1144 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
1145 type: array
1146 items:
1147 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1148 type: object
1149 required:
1150 - key
1151 - operator
1152 properties:
1153 key:
1154 description: key is the label key that the selector applies to.
1155 type: string
1156 operator:
1157 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
1158 type: string
1159 values:
1160 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
1161 type: array
1162 items:
1163 type: string
1164 matchLabels:
1165 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
1166 type: object
1167 additionalProperties:
1168 type: string
1169 namespaceSelector:
1170 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
1171 type: object
1172 properties:
1173 matchExpressions:
1174 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
1175 type: array
1176 items:
1177 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1178 type: object
1179 required:
1180 - key
1181 - operator
1182 properties:
1183 key:
1184 description: key is the label key that the selector applies to.
1185 type: string
1186 operator:
1187 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
1188 type: string
1189 values:
1190 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
1191 type: array
1192 items:
1193 type: string
1194 matchLabels:
1195 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
1196 type: object
1197 additionalProperties:
1198 type: string
1199 namespaces:
1200 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
1201 type: array
1202 items:
1203 type: string
1204 topologyKey:
1205 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
1206 type: string
1207 weight:
1208 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
1209 type: integer
1210 format: int32
1211 requiredDuringSchedulingIgnoredDuringExecution:
1212 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
1213 type: array
1214 items:
1215 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
1216 type: object
1217 required:
1218 - topologyKey
1219 properties:
1220 labelSelector:
1221 description: A label query over a set of resources, in this case pods.
1222 type: object
1223 properties:
1224 matchExpressions:
1225 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
1226 type: array
1227 items:
1228 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1229 type: object
1230 required:
1231 - key
1232 - operator
1233 properties:
1234 key:
1235 description: key is the label key that the selector applies to.
1236 type: string
1237 operator:
1238 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
1239 type: string
1240 values:
1241 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
1242 type: array
1243 items:
1244 type: string
1245 matchLabels:
1246 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
1247 type: object
1248 additionalProperties:
1249 type: string
1250 namespaceSelector:
1251 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
1252 type: object
1253 properties:
1254 matchExpressions:
1255 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
1256 type: array
1257 items:
1258 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1259 type: object
1260 required:
1261 - key
1262 - operator
1263 properties:
1264 key:
1265 description: key is the label key that the selector applies to.
1266 type: string
1267 operator:
1268 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
1269 type: string
1270 values:
1271 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
1272 type: array
1273 items:
1274 type: string
1275 matchLabels:
1276 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
1277 type: object
1278 additionalProperties:
1279 type: string
1280 namespaces:
1281 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
1282 type: array
1283 items:
1284 type: string
1285 topologyKey:
1286 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
1287 type: string
1288 podAntiAffinity:
1289 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
1290 type: object
1291 properties:
1292 preferredDuringSchedulingIgnoredDuringExecution:
1293 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
1294 type: array
1295 items:
1296 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
1297 type: object
1298 required:
1299 - podAffinityTerm
1300 - weight
1301 properties:
1302 podAffinityTerm:
1303 description: Required. A pod affinity term, associated with the corresponding weight.
1304 type: object
1305 required:
1306 - topologyKey
1307 properties:
1308 labelSelector:
1309 description: A label query over a set of resources, in this case pods.
1310 type: object
1311 properties:
1312 matchExpressions:
1313 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
1314 type: array
1315 items:
1316 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1317 type: object
1318 required:
1319 - key
1320 - operator
1321 properties:
1322 key:
1323 description: key is the label key that the selector applies to.
1324 type: string
1325 operator:
1326 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
1327 type: string
1328 values:
1329 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
1330 type: array
1331 items:
1332 type: string
1333 matchLabels:
1334 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
1335 type: object
1336 additionalProperties:
1337 type: string
1338 namespaceSelector:
1339 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
1340 type: object
1341 properties:
1342 matchExpressions:
1343 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
1344 type: array
1345 items:
1346 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1347 type: object
1348 required:
1349 - key
1350 - operator
1351 properties:
1352 key:
1353 description: key is the label key that the selector applies to.
1354 type: string
1355 operator:
1356 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
1357 type: string
1358 values:
1359 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
1360 type: array
1361 items:
1362 type: string
1363 matchLabels:
1364 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
1365 type: object
1366 additionalProperties:
1367 type: string
1368 namespaces:
1369 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
1370 type: array
1371 items:
1372 type: string
1373 topologyKey:
1374 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
1375 type: string
1376 weight:
1377 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
1378 type: integer
1379 format: int32
1380 requiredDuringSchedulingIgnoredDuringExecution:
1381 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
1382 type: array
1383 items:
1384 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
1385 type: object
1386 required:
1387 - topologyKey
1388 properties:
1389 labelSelector:
1390 description: A label query over a set of resources, in this case pods.
1391 type: object
1392 properties:
1393 matchExpressions:
1394 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
1395 type: array
1396 items:
1397 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1398 type: object
1399 required:
1400 - key
1401 - operator
1402 properties:
1403 key:
1404 description: key is the label key that the selector applies to.
1405 type: string
1406 operator:
1407 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
1408 type: string
1409 values:
1410 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
1411 type: array
1412 items:
1413 type: string
1414 matchLabels:
1415 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
1416 type: object
1417 additionalProperties:
1418 type: string
1419 namespaceSelector:
1420 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
1421 type: object
1422 properties:
1423 matchExpressions:
1424 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
1425 type: array
1426 items:
1427 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1428 type: object
1429 required:
1430 - key
1431 - operator
1432 properties:
1433 key:
1434 description: key is the label key that the selector applies to.
1435 type: string
1436 operator:
1437 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
1438 type: string
1439 values:
1440 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
1441 type: array
1442 items:
1443 type: string
1444 matchLabels:
1445 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
1446 type: object
1447 additionalProperties:
1448 type: string
1449 namespaces:
1450 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
1451 type: array
1452 items:
1453 type: string
1454 topologyKey:
1455 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
1456 type: string
1457 nodeSelector:
1458 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
1459 type: object
1460 additionalProperties:
1461 type: string
1462 priorityClassName:
1463 description: If specified, the pod's priorityClassName.
1464 type: string
1465 serviceAccountName:
1466 description: If specified, the pod's service account
1467 type: string
1468 tolerations:
1469 description: If specified, the pod's tolerations.
1470 type: array
1471 items:
1472 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
1473 type: object
1474 properties:
1475 effect:
1476 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
1477 type: string
1478 key:
1479 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
1480 type: string
1481 operator:
1482 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
1483 type: string
1484 tolerationSeconds:
1485 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
1486 type: integer
1487 format: int64
1488 value:
1489 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
1490 type: string
1491 serviceType:
1492 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
1493 type: string
1494 selector:
1495 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
1496 type: object
1497 properties:
1498 dnsNames:
1499 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
1500 type: array
1501 items:
1502 type: string
1503 dnsZones:
1504 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
1505 type: array
1506 items:
1507 type: string
1508 matchLabels:
1509 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
1510 type: object
1511 additionalProperties:
1512 type: string
1513 token:
1514 description: The ACME challenge token for this challenge. This is the raw value returned from the ACME server.
1515 type: string
1516 type:
1517 description: The type of ACME challenge this resource represents. One of "HTTP-01" or "DNS-01".
1518 type: string
1519 enum:
1520 - HTTP-01
1521 - DNS-01
1522 url:
1523 description: The URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge.
1524 type: string
1525 wildcard:
1526 description: wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'.
1527 type: boolean
1528 status:
1529 type: object
1530 properties:
1531 presented:
1532 description: presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured).
1533 type: boolean
1534 processing:
1535 description: Used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action.
1536 type: boolean
1537 reason:
1538 description: Contains human readable information on why the Challenge is in the current state.
1539 type: string
1540 state:
1541 description: Contains the current 'state' of the challenge. If not set, the state of the challenge is unknown.
1542 type: string
1543 enum:
1544 - valid
1545 - ready
1546 - pending
1547 - processing
1548 - invalid
1549 - expired
1550 - errored
1551 served: true
1552 storage: true
1553 subresources:
1554 status: {}
1555---
1556apiVersion: apiextensions.k8s.io/v1
1557kind: CustomResourceDefinition
1558metadata:
1559 name: clusterissuers.cert-manager.io
1560 annotations:
1561 cert-manager.io/inject-ca-from-secret: '{{ template "webhook.caRef" . }}'
1562 labels:
1563 app: '{{ template "cert-manager.name" . }}'
1564 app.kubernetes.io/name: '{{ template "cert-manager.name" . }}'
1565 app.kubernetes.io/instance: '{{ .Release.Name }}'
1566 # Generated labels {{- include "labels" . | nindent 4 }}
1567spec:
1568 group: cert-manager.io
1569 names:
1570 kind: ClusterIssuer
1571 listKind: ClusterIssuerList
1572 plural: clusterissuers
1573 singular: clusterissuer
1574 categories:
1575 - cert-manager
1576 scope: Cluster
1577 versions:
1578 - name: v1
1579 subresources:
1580 status: {}
1581 additionalPrinterColumns:
1582 - jsonPath: .status.conditions[?(@.type=="Ready")].status
1583 name: Ready
1584 type: string
1585 - jsonPath: .status.conditions[?(@.type=="Ready")].message
1586 name: Status
1587 priority: 1
1588 type: string
1589 - jsonPath: .metadata.creationTimestamp
1590 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
1591 name: Age
1592 type: date
1593 schema:
1594 openAPIV3Schema:
1595 description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent.
1596 type: object
1597 required:
1598 - spec
1599 properties:
1600 apiVersion:
1601 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1602 type: string
1603 kind:
1604 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1605 type: string
1606 metadata:
1607 type: object
1608 spec:
1609 description: Desired state of the ClusterIssuer resource.
1610 type: object
1611 properties:
1612 acme:
1613 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
1614 type: object
1615 required:
1616 - privateKeySecretRef
1617 - server
1618 properties:
1619 disableAccountKeyGeneration:
1620 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
1621 type: boolean
1622 email:
1623 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
1624 type: string
1625 enableDurationFeature:
1626 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
1627 type: boolean
1628 externalAccountBinding:
1629 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
1630 type: object
1631 required:
1632 - keyID
1633 - keySecretRef
1634 properties:
1635 keyAlgorithm:
1636 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
1637 type: string
1638 enum:
1639 - HS256
1640 - HS384
1641 - HS512
1642 keyID:
1643 description: keyID is the ID of the CA key that the External Account is bound to.
1644 type: string
1645 keySecretRef:
1646 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
1647 type: object
1648 required:
1649 - name
1650 properties:
1651 key:
1652 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1653 type: string
1654 name:
1655 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1656 type: string
1657 preferredChain:
1658 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
1659 type: string
1660 maxLength: 64
1661 privateKeySecretRef:
1662 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
1663 type: object
1664 required:
1665 - name
1666 properties:
1667 key:
1668 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1669 type: string
1670 name:
1671 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1672 type: string
1673 server:
1674 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
1675 type: string
1676 skipTLSVerify:
1677 description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
1678 type: boolean
1679 solvers:
1680 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
1681 type: array
1682 items:
1683 description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided.
1684 type: object
1685 properties:
1686 dns01:
1687 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
1688 type: object
1689 properties:
1690 acmeDNS:
1691 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
1692 type: object
1693 required:
1694 - accountSecretRef
1695 - host
1696 properties:
1697 accountSecretRef:
1698 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
1699 type: object
1700 required:
1701 - name
1702 properties:
1703 key:
1704 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1705 type: string
1706 name:
1707 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1708 type: string
1709 host:
1710 type: string
1711 akamai:
1712 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
1713 type: object
1714 required:
1715 - accessTokenSecretRef
1716 - clientSecretSecretRef
1717 - clientTokenSecretRef
1718 - serviceConsumerDomain
1719 properties:
1720 accessTokenSecretRef:
1721 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
1722 type: object
1723 required:
1724 - name
1725 properties:
1726 key:
1727 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1728 type: string
1729 name:
1730 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1731 type: string
1732 clientSecretSecretRef:
1733 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
1734 type: object
1735 required:
1736 - name
1737 properties:
1738 key:
1739 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1740 type: string
1741 name:
1742 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1743 type: string
1744 clientTokenSecretRef:
1745 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
1746 type: object
1747 required:
1748 - name
1749 properties:
1750 key:
1751 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1752 type: string
1753 name:
1754 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1755 type: string
1756 serviceConsumerDomain:
1757 type: string
1758 azureDNS:
1759 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
1760 type: object
1761 required:
1762 - resourceGroupName
1763 - subscriptionID
1764 properties:
1765 clientID:
1766 description: if both this and ClientSecret are left unset MSI will be used
1767 type: string
1768 clientSecretSecretRef:
1769 description: if both this and ClientID are left unset MSI will be used
1770 type: object
1771 required:
1772 - name
1773 properties:
1774 key:
1775 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1776 type: string
1777 name:
1778 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1779 type: string
1780 environment:
1781 description: name of the Azure environment (default AzurePublicCloud)
1782 type: string
1783 enum:
1784 - AzurePublicCloud
1785 - AzureChinaCloud
1786 - AzureGermanCloud
1787 - AzureUSGovernmentCloud
1788 hostedZoneName:
1789 description: name of the DNS zone that should be used
1790 type: string
1791 managedIdentity:
1792 description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID
1793 type: object
1794 properties:
1795 clientID:
1796 description: client ID of the managed identity, can not be used at the same time as resourceID
1797 type: string
1798 resourceID:
1799 description: resource ID of the managed identity, can not be used at the same time as clientID
1800 type: string
1801 resourceGroupName:
1802 description: resource group the DNS zone is located in
1803 type: string
1804 subscriptionID:
1805 description: ID of the Azure subscription
1806 type: string
1807 tenantID:
1808 description: when specifying ClientID and ClientSecret then this field is also needed
1809 type: string
1810 cloudDNS:
1811 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
1812 type: object
1813 required:
1814 - project
1815 properties:
1816 hostedZoneName:
1817 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
1818 type: string
1819 project:
1820 type: string
1821 serviceAccountSecretRef:
1822 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
1823 type: object
1824 required:
1825 - name
1826 properties:
1827 key:
1828 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1829 type: string
1830 name:
1831 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1832 type: string
1833 cloudflare:
1834 description: Use the Cloudflare API to manage DNS01 challenge records.
1835 type: object
1836 properties:
1837 apiKeySecretRef:
1838 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
1839 type: object
1840 required:
1841 - name
1842 properties:
1843 key:
1844 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1845 type: string
1846 name:
1847 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1848 type: string
1849 apiTokenSecretRef:
1850 description: API token used to authenticate with Cloudflare.
1851 type: object
1852 required:
1853 - name
1854 properties:
1855 key:
1856 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1857 type: string
1858 name:
1859 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1860 type: string
1861 email:
1862 description: Email of the account, only required when using API key based authentication.
1863 type: string
1864 cnameStrategy:
1865 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
1866 type: string
1867 enum:
1868 - None
1869 - Follow
1870 digitalocean:
1871 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
1872 type: object
1873 required:
1874 - tokenSecretRef
1875 properties:
1876 tokenSecretRef:
1877 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
1878 type: object
1879 required:
1880 - name
1881 properties:
1882 key:
1883 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1884 type: string
1885 name:
1886 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1887 type: string
1888 rfc2136:
1889 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
1890 type: object
1891 required:
1892 - nameserver
1893 properties:
1894 nameserver:
1895 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
1896 type: string
1897 tsigAlgorithm:
1898 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
1899 type: string
1900 tsigKeyName:
1901 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
1902 type: string
1903 tsigSecretSecretRef:
1904 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
1905 type: object
1906 required:
1907 - name
1908 properties:
1909 key:
1910 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1911 type: string
1912 name:
1913 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1914 type: string
1915 route53:
1916 description: Use the AWS Route53 API to manage DNS01 challenge records.
1917 type: object
1918 required:
1919 - region
1920 properties:
1921 accessKeyID:
1922 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
1923 type: string
1924 hostedZoneID:
1925 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
1926 type: string
1927 region:
1928 description: Always set the region when using AccessKeyID and SecretAccessKey
1929 type: string
1930 role:
1931 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
1932 type: string
1933 secretAccessKeySecretRef:
1934 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
1935 type: object
1936 required:
1937 - name
1938 properties:
1939 key:
1940 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1941 type: string
1942 name:
1943 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1944 type: string
1945 webhook:
1946 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
1947 type: object
1948 required:
1949 - groupName
1950 - solverName
1951 properties:
1952 config:
1953 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
1954 x-kubernetes-preserve-unknown-fields: true
1955 groupName:
1956 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
1957 type: string
1958 solverName:
1959 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
1960 type: string
1961 http01:
1962 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
1963 type: object
1964 properties:
1965 gatewayHTTPRoute:
1966 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
1967 type: object
1968 properties:
1969 labels:
1970 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
1971 type: object
1972 additionalProperties:
1973 type: string
1974 serviceType:
1975 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
1976 type: string
1977 ingress:
1978 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
1979 type: object
1980 properties:
1981 class:
1982 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
1983 type: string
1984 ingressTemplate:
1985 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
1986 type: object
1987 properties:
1988 metadata:
1989 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
1990 type: object
1991 properties:
1992 annotations:
1993 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
1994 type: object
1995 additionalProperties:
1996 type: string
1997 labels:
1998 description: Labels that should be added to the created ACME HTTP01 solver ingress.
1999 type: object
2000 additionalProperties:
2001 type: string
2002 name:
2003 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
2004 type: string
2005 podTemplate:
2006 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
2007 type: object
2008 properties:
2009 metadata:
2010 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
2011 type: object
2012 properties:
2013 annotations:
2014 description: Annotations that should be added to the create ACME HTTP01 solver pods.
2015 type: object
2016 additionalProperties:
2017 type: string
2018 labels:
2019 description: Labels that should be added to the created ACME HTTP01 solver pods.
2020 type: object
2021 additionalProperties:
2022 type: string
2023 spec:
2024 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
2025 type: object
2026 properties:
2027 affinity:
2028 description: If specified, the pod's scheduling constraints
2029 type: object
2030 properties:
2031 nodeAffinity:
2032 description: Describes node affinity scheduling rules for the pod.
2033 type: object
2034 properties:
2035 preferredDuringSchedulingIgnoredDuringExecution:
2036 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
2037 type: array
2038 items:
2039 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
2040 type: object
2041 required:
2042 - preference
2043 - weight
2044 properties:
2045 preference:
2046 description: A node selector term, associated with the corresponding weight.
2047 type: object
2048 properties:
2049 matchExpressions:
2050 description: A list of node selector requirements by node's labels.
2051 type: array
2052 items:
2053 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2054 type: object
2055 required:
2056 - key
2057 - operator
2058 properties:
2059 key:
2060 description: The label key that the selector applies to.
2061 type: string
2062 operator:
2063 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2064 type: string
2065 values:
2066 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
2067 type: array
2068 items:
2069 type: string
2070 matchFields:
2071 description: A list of node selector requirements by node's fields.
2072 type: array
2073 items:
2074 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2075 type: object
2076 required:
2077 - key
2078 - operator
2079 properties:
2080 key:
2081 description: The label key that the selector applies to.
2082 type: string
2083 operator:
2084 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2085 type: string
2086 values:
2087 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
2088 type: array
2089 items:
2090 type: string
2091 weight:
2092 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
2093 type: integer
2094 format: int32
2095 requiredDuringSchedulingIgnoredDuringExecution:
2096 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
2097 type: object
2098 required:
2099 - nodeSelectorTerms
2100 properties:
2101 nodeSelectorTerms:
2102 description: Required. A list of node selector terms. The terms are ORed.
2103 type: array
2104 items:
2105 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
2106 type: object
2107 properties:
2108 matchExpressions:
2109 description: A list of node selector requirements by node's labels.
2110 type: array
2111 items:
2112 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2113 type: object
2114 required:
2115 - key
2116 - operator
2117 properties:
2118 key:
2119 description: The label key that the selector applies to.
2120 type: string
2121 operator:
2122 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2123 type: string
2124 values:
2125 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
2126 type: array
2127 items:
2128 type: string
2129 matchFields:
2130 description: A list of node selector requirements by node's fields.
2131 type: array
2132 items:
2133 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2134 type: object
2135 required:
2136 - key
2137 - operator
2138 properties:
2139 key:
2140 description: The label key that the selector applies to.
2141 type: string
2142 operator:
2143 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2144 type: string
2145 values:
2146 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
2147 type: array
2148 items:
2149 type: string
2150 podAffinity:
2151 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
2152 type: object
2153 properties:
2154 preferredDuringSchedulingIgnoredDuringExecution:
2155 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
2156 type: array
2157 items:
2158 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
2159 type: object
2160 required:
2161 - podAffinityTerm
2162 - weight
2163 properties:
2164 podAffinityTerm:
2165 description: Required. A pod affinity term, associated with the corresponding weight.
2166 type: object
2167 required:
2168 - topologyKey
2169 properties:
2170 labelSelector:
2171 description: A label query over a set of resources, in this case pods.
2172 type: object
2173 properties:
2174 matchExpressions:
2175 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2176 type: array
2177 items:
2178 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2179 type: object
2180 required:
2181 - key
2182 - operator
2183 properties:
2184 key:
2185 description: key is the label key that the selector applies to.
2186 type: string
2187 operator:
2188 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2189 type: string
2190 values:
2191 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2192 type: array
2193 items:
2194 type: string
2195 matchLabels:
2196 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2197 type: object
2198 additionalProperties:
2199 type: string
2200 namespaceSelector:
2201 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
2202 type: object
2203 properties:
2204 matchExpressions:
2205 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2206 type: array
2207 items:
2208 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2209 type: object
2210 required:
2211 - key
2212 - operator
2213 properties:
2214 key:
2215 description: key is the label key that the selector applies to.
2216 type: string
2217 operator:
2218 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2219 type: string
2220 values:
2221 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2222 type: array
2223 items:
2224 type: string
2225 matchLabels:
2226 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2227 type: object
2228 additionalProperties:
2229 type: string
2230 namespaces:
2231 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
2232 type: array
2233 items:
2234 type: string
2235 topologyKey:
2236 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
2237 type: string
2238 weight:
2239 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
2240 type: integer
2241 format: int32
2242 requiredDuringSchedulingIgnoredDuringExecution:
2243 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
2244 type: array
2245 items:
2246 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
2247 type: object
2248 required:
2249 - topologyKey
2250 properties:
2251 labelSelector:
2252 description: A label query over a set of resources, in this case pods.
2253 type: object
2254 properties:
2255 matchExpressions:
2256 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2257 type: array
2258 items:
2259 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2260 type: object
2261 required:
2262 - key
2263 - operator
2264 properties:
2265 key:
2266 description: key is the label key that the selector applies to.
2267 type: string
2268 operator:
2269 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2270 type: string
2271 values:
2272 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2273 type: array
2274 items:
2275 type: string
2276 matchLabels:
2277 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2278 type: object
2279 additionalProperties:
2280 type: string
2281 namespaceSelector:
2282 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
2283 type: object
2284 properties:
2285 matchExpressions:
2286 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2287 type: array
2288 items:
2289 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2290 type: object
2291 required:
2292 - key
2293 - operator
2294 properties:
2295 key:
2296 description: key is the label key that the selector applies to.
2297 type: string
2298 operator:
2299 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2300 type: string
2301 values:
2302 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2303 type: array
2304 items:
2305 type: string
2306 matchLabels:
2307 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2308 type: object
2309 additionalProperties:
2310 type: string
2311 namespaces:
2312 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
2313 type: array
2314 items:
2315 type: string
2316 topologyKey:
2317 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
2318 type: string
2319 podAntiAffinity:
2320 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
2321 type: object
2322 properties:
2323 preferredDuringSchedulingIgnoredDuringExecution:
2324 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
2325 type: array
2326 items:
2327 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
2328 type: object
2329 required:
2330 - podAffinityTerm
2331 - weight
2332 properties:
2333 podAffinityTerm:
2334 description: Required. A pod affinity term, associated with the corresponding weight.
2335 type: object
2336 required:
2337 - topologyKey
2338 properties:
2339 labelSelector:
2340 description: A label query over a set of resources, in this case pods.
2341 type: object
2342 properties:
2343 matchExpressions:
2344 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2345 type: array
2346 items:
2347 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2348 type: object
2349 required:
2350 - key
2351 - operator
2352 properties:
2353 key:
2354 description: key is the label key that the selector applies to.
2355 type: string
2356 operator:
2357 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2358 type: string
2359 values:
2360 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2361 type: array
2362 items:
2363 type: string
2364 matchLabels:
2365 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2366 type: object
2367 additionalProperties:
2368 type: string
2369 namespaceSelector:
2370 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
2371 type: object
2372 properties:
2373 matchExpressions:
2374 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2375 type: array
2376 items:
2377 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2378 type: object
2379 required:
2380 - key
2381 - operator
2382 properties:
2383 key:
2384 description: key is the label key that the selector applies to.
2385 type: string
2386 operator:
2387 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2388 type: string
2389 values:
2390 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2391 type: array
2392 items:
2393 type: string
2394 matchLabels:
2395 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2396 type: object
2397 additionalProperties:
2398 type: string
2399 namespaces:
2400 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
2401 type: array
2402 items:
2403 type: string
2404 topologyKey:
2405 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
2406 type: string
2407 weight:
2408 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
2409 type: integer
2410 format: int32
2411 requiredDuringSchedulingIgnoredDuringExecution:
2412 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
2413 type: array
2414 items:
2415 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
2416 type: object
2417 required:
2418 - topologyKey
2419 properties:
2420 labelSelector:
2421 description: A label query over a set of resources, in this case pods.
2422 type: object
2423 properties:
2424 matchExpressions:
2425 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2426 type: array
2427 items:
2428 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2429 type: object
2430 required:
2431 - key
2432 - operator
2433 properties:
2434 key:
2435 description: key is the label key that the selector applies to.
2436 type: string
2437 operator:
2438 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2439 type: string
2440 values:
2441 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2442 type: array
2443 items:
2444 type: string
2445 matchLabels:
2446 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2447 type: object
2448 additionalProperties:
2449 type: string
2450 namespaceSelector:
2451 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
2452 type: object
2453 properties:
2454 matchExpressions:
2455 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2456 type: array
2457 items:
2458 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2459 type: object
2460 required:
2461 - key
2462 - operator
2463 properties:
2464 key:
2465 description: key is the label key that the selector applies to.
2466 type: string
2467 operator:
2468 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2469 type: string
2470 values:
2471 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2472 type: array
2473 items:
2474 type: string
2475 matchLabels:
2476 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2477 type: object
2478 additionalProperties:
2479 type: string
2480 namespaces:
2481 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
2482 type: array
2483 items:
2484 type: string
2485 topologyKey:
2486 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
2487 type: string
2488 nodeSelector:
2489 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
2490 type: object
2491 additionalProperties:
2492 type: string
2493 priorityClassName:
2494 description: If specified, the pod's priorityClassName.
2495 type: string
2496 serviceAccountName:
2497 description: If specified, the pod's service account
2498 type: string
2499 tolerations:
2500 description: If specified, the pod's tolerations.
2501 type: array
2502 items:
2503 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
2504 type: object
2505 properties:
2506 effect:
2507 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
2508 type: string
2509 key:
2510 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
2511 type: string
2512 operator:
2513 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
2514 type: string
2515 tolerationSeconds:
2516 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
2517 type: integer
2518 format: int64
2519 value:
2520 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
2521 type: string
2522 serviceType:
2523 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
2524 type: string
2525 selector:
2526 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
2527 type: object
2528 properties:
2529 dnsNames:
2530 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
2531 type: array
2532 items:
2533 type: string
2534 dnsZones:
2535 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
2536 type: array
2537 items:
2538 type: string
2539 matchLabels:
2540 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
2541 type: object
2542 additionalProperties:
2543 type: string
2544 ca:
2545 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
2546 type: object
2547 required:
2548 - secretName
2549 properties:
2550 crlDistributionPoints:
2551 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
2552 type: array
2553 items:
2554 type: string
2555 ocspServers:
2556 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
2557 type: array
2558 items:
2559 type: string
2560 secretName:
2561 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
2562 type: string
2563 selfSigned:
2564 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
2565 type: object
2566 properties:
2567 crlDistributionPoints:
2568 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
2569 type: array
2570 items:
2571 type: string
2572 vault:
2573 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
2574 type: object
2575 required:
2576 - auth
2577 - path
2578 - server
2579 properties:
2580 auth:
2581 description: Auth configures how cert-manager authenticates with the Vault server.
2582 type: object
2583 properties:
2584 appRole:
2585 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
2586 type: object
2587 required:
2588 - path
2589 - roleId
2590 - secretRef
2591 properties:
2592 path:
2593 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
2594 type: string
2595 roleId:
2596 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
2597 type: string
2598 secretRef:
2599 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
2600 type: object
2601 required:
2602 - name
2603 properties:
2604 key:
2605 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2606 type: string
2607 name:
2608 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2609 type: string
2610 kubernetes:
2611 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
2612 type: object
2613 required:
2614 - role
2615 - secretRef
2616 properties:
2617 mountPath:
2618 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
2619 type: string
2620 role:
2621 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
2622 type: string
2623 secretRef:
2624 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
2625 type: object
2626 required:
2627 - name
2628 properties:
2629 key:
2630 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2631 type: string
2632 name:
2633 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2634 type: string
2635 tokenSecretRef:
2636 description: TokenSecretRef authenticates with Vault by presenting a token.
2637 type: object
2638 required:
2639 - name
2640 properties:
2641 key:
2642 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2643 type: string
2644 name:
2645 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2646 type: string
2647 caBundle:
2648 description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
2649 type: string
2650 format: byte
2651 namespace:
2652 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
2653 type: string
2654 path:
2655 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
2656 type: string
2657 server:
2658 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
2659 type: string
2660 venafi:
2661 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
2662 type: object
2663 required:
2664 - zone
2665 properties:
2666 cloud:
2667 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
2668 type: object
2669 required:
2670 - apiTokenSecretRef
2671 properties:
2672 apiTokenSecretRef:
2673 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
2674 type: object
2675 required:
2676 - name
2677 properties:
2678 key:
2679 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2680 type: string
2681 name:
2682 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2683 type: string
2684 url:
2685 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
2686 type: string
2687 tpp:
2688 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
2689 type: object
2690 required:
2691 - credentialsRef
2692 - url
2693 properties:
2694 caBundle:
2695 description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
2696 type: string
2697 format: byte
2698 credentialsRef:
2699 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
2700 type: object
2701 required:
2702 - name
2703 properties:
2704 name:
2705 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2706 type: string
2707 url:
2708 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
2709 type: string
2710 zone:
2711 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
2712 type: string
2713 status:
2714 description: Status of the ClusterIssuer. This is set and managed automatically.
2715 type: object
2716 properties:
2717 acme:
2718 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
2719 type: object
2720 properties:
2721 lastRegisteredEmail:
2722 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
2723 type: string
2724 uri:
2725 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
2726 type: string
2727 conditions:
2728 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
2729 type: array
2730 items:
2731 description: IssuerCondition contains condition information for an Issuer.
2732 type: object
2733 required:
2734 - status
2735 - type
2736 properties:
2737 lastTransitionTime:
2738 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
2739 type: string
2740 format: date-time
2741 message:
2742 description: Message is a human readable description of the details of the last transition, complementing reason.
2743 type: string
2744 observedGeneration:
2745 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
2746 type: integer
2747 format: int64
2748 reason:
2749 description: Reason is a brief machine readable explanation for the condition's last transition.
2750 type: string
2751 status:
2752 description: Status of the condition, one of (`True`, `False`, `Unknown`).
2753 type: string
2754 enum:
2755 - "True"
2756 - "False"
2757 - Unknown
2758 type:
2759 description: Type of the condition, known values are (`Ready`).
2760 type: string
2761 served: true
2762 storage: true
2763---
2764apiVersion: apiextensions.k8s.io/v1
2765kind: CustomResourceDefinition
2766metadata:
2767 name: issuers.cert-manager.io
2768 annotations:
2769 cert-manager.io/inject-ca-from-secret: '{{ template "webhook.caRef" . }}'
2770 labels:
2771 app: '{{ template "cert-manager.name" . }}'
2772 app.kubernetes.io/name: '{{ template "cert-manager.name" . }}'
2773 app.kubernetes.io/instance: '{{ .Release.Name }}'
2774 # Generated labels {{- include "labels" . | nindent 4 }}
2775spec:
2776 group: cert-manager.io
2777 names:
2778 kind: Issuer
2779 listKind: IssuerList
2780 plural: issuers
2781 singular: issuer
2782 categories:
2783 - cert-manager
2784 scope: Namespaced
2785 versions:
2786 - name: v1
2787 subresources:
2788 status: {}
2789 additionalPrinterColumns:
2790 - jsonPath: .status.conditions[?(@.type=="Ready")].status
2791 name: Ready
2792 type: string
2793 - jsonPath: .status.conditions[?(@.type=="Ready")].message
2794 name: Status
2795 priority: 1
2796 type: string
2797 - jsonPath: .metadata.creationTimestamp
2798 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
2799 name: Age
2800 type: date
2801 schema:
2802 openAPIV3Schema:
2803 description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace.
2804 type: object
2805 required:
2806 - spec
2807 properties:
2808 apiVersion:
2809 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2810 type: string
2811 kind:
2812 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2813 type: string
2814 metadata:
2815 type: object
2816 spec:
2817 description: Desired state of the Issuer resource.
2818 type: object
2819 properties:
2820 acme:
2821 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
2822 type: object
2823 required:
2824 - privateKeySecretRef
2825 - server
2826 properties:
2827 disableAccountKeyGeneration:
2828 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
2829 type: boolean
2830 email:
2831 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
2832 type: string
2833 enableDurationFeature:
2834 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
2835 type: boolean
2836 externalAccountBinding:
2837 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
2838 type: object
2839 required:
2840 - keyID
2841 - keySecretRef
2842 properties:
2843 keyAlgorithm:
2844 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
2845 type: string
2846 enum:
2847 - HS256
2848 - HS384
2849 - HS512
2850 keyID:
2851 description: keyID is the ID of the CA key that the External Account is bound to.
2852 type: string
2853 keySecretRef:
2854 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
2855 type: object
2856 required:
2857 - name
2858 properties:
2859 key:
2860 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2861 type: string
2862 name:
2863 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2864 type: string
2865 preferredChain:
2866 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
2867 type: string
2868 maxLength: 64
2869 privateKeySecretRef:
2870 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
2871 type: object
2872 required:
2873 - name
2874 properties:
2875 key:
2876 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2877 type: string
2878 name:
2879 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2880 type: string
2881 server:
2882 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
2883 type: string
2884 skipTLSVerify:
2885 description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
2886 type: boolean
2887 solvers:
2888 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
2889 type: array
2890 items:
2891 description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided.
2892 type: object
2893 properties:
2894 dns01:
2895 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
2896 type: object
2897 properties:
2898 acmeDNS:
2899 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
2900 type: object
2901 required:
2902 - accountSecretRef
2903 - host
2904 properties:
2905 accountSecretRef:
2906 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
2907 type: object
2908 required:
2909 - name
2910 properties:
2911 key:
2912 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2913 type: string
2914 name:
2915 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2916 type: string
2917 host:
2918 type: string
2919 akamai:
2920 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
2921 type: object
2922 required:
2923 - accessTokenSecretRef
2924 - clientSecretSecretRef
2925 - clientTokenSecretRef
2926 - serviceConsumerDomain
2927 properties:
2928 accessTokenSecretRef:
2929 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
2930 type: object
2931 required:
2932 - name
2933 properties:
2934 key:
2935 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2936 type: string
2937 name:
2938 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2939 type: string
2940 clientSecretSecretRef:
2941 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
2942 type: object
2943 required:
2944 - name
2945 properties:
2946 key:
2947 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2948 type: string
2949 name:
2950 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2951 type: string
2952 clientTokenSecretRef:
2953 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
2954 type: object
2955 required:
2956 - name
2957 properties:
2958 key:
2959 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2960 type: string
2961 name:
2962 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2963 type: string
2964 serviceConsumerDomain:
2965 type: string
2966 azureDNS:
2967 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
2968 type: object
2969 required:
2970 - resourceGroupName
2971 - subscriptionID
2972 properties:
2973 clientID:
2974 description: if both this and ClientSecret are left unset MSI will be used
2975 type: string
2976 clientSecretSecretRef:
2977 description: if both this and ClientID are left unset MSI will be used
2978 type: object
2979 required:
2980 - name
2981 properties:
2982 key:
2983 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2984 type: string
2985 name:
2986 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2987 type: string
2988 environment:
2989 description: name of the Azure environment (default AzurePublicCloud)
2990 type: string
2991 enum:
2992 - AzurePublicCloud
2993 - AzureChinaCloud
2994 - AzureGermanCloud
2995 - AzureUSGovernmentCloud
2996 hostedZoneName:
2997 description: name of the DNS zone that should be used
2998 type: string
2999 managedIdentity:
3000 description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID
3001 type: object
3002 properties:
3003 clientID:
3004 description: client ID of the managed identity, can not be used at the same time as resourceID
3005 type: string
3006 resourceID:
3007 description: resource ID of the managed identity, can not be used at the same time as clientID
3008 type: string
3009 resourceGroupName:
3010 description: resource group the DNS zone is located in
3011 type: string
3012 subscriptionID:
3013 description: ID of the Azure subscription
3014 type: string
3015 tenantID:
3016 description: when specifying ClientID and ClientSecret then this field is also needed
3017 type: string
3018 cloudDNS:
3019 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
3020 type: object
3021 required:
3022 - project
3023 properties:
3024 hostedZoneName:
3025 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
3026 type: string
3027 project:
3028 type: string
3029 serviceAccountSecretRef:
3030 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3031 type: object
3032 required:
3033 - name
3034 properties:
3035 key:
3036 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3037 type: string
3038 name:
3039 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3040 type: string
3041 cloudflare:
3042 description: Use the Cloudflare API to manage DNS01 challenge records.
3043 type: object
3044 properties:
3045 apiKeySecretRef:
3046 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
3047 type: object
3048 required:
3049 - name
3050 properties:
3051 key:
3052 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3053 type: string
3054 name:
3055 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3056 type: string
3057 apiTokenSecretRef:
3058 description: API token used to authenticate with Cloudflare.
3059 type: object
3060 required:
3061 - name
3062 properties:
3063 key:
3064 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3065 type: string
3066 name:
3067 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3068 type: string
3069 email:
3070 description: Email of the account, only required when using API key based authentication.
3071 type: string
3072 cnameStrategy:
3073 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
3074 type: string
3075 enum:
3076 - None
3077 - Follow
3078 digitalocean:
3079 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
3080 type: object
3081 required:
3082 - tokenSecretRef
3083 properties:
3084 tokenSecretRef:
3085 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3086 type: object
3087 required:
3088 - name
3089 properties:
3090 key:
3091 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3092 type: string
3093 name:
3094 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3095 type: string
3096 rfc2136:
3097 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
3098 type: object
3099 required:
3100 - nameserver
3101 properties:
3102 nameserver:
3103 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
3104 type: string
3105 tsigAlgorithm:
3106 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
3107 type: string
3108 tsigKeyName:
3109 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
3110 type: string
3111 tsigSecretSecretRef:
3112 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
3113 type: object
3114 required:
3115 - name
3116 properties:
3117 key:
3118 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3119 type: string
3120 name:
3121 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3122 type: string
3123 route53:
3124 description: Use the AWS Route53 API to manage DNS01 challenge records.
3125 type: object
3126 required:
3127 - region
3128 properties:
3129 accessKeyID:
3130 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
3131 type: string
3132 hostedZoneID:
3133 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
3134 type: string
3135 region:
3136 description: Always set the region when using AccessKeyID and SecretAccessKey
3137 type: string
3138 role:
3139 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
3140 type: string
3141 secretAccessKeySecretRef:
3142 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
3143 type: object
3144 required:
3145 - name
3146 properties:
3147 key:
3148 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3149 type: string
3150 name:
3151 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3152 type: string
3153 webhook:
3154 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
3155 type: object
3156 required:
3157 - groupName
3158 - solverName
3159 properties:
3160 config:
3161 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
3162 x-kubernetes-preserve-unknown-fields: true
3163 groupName:
3164 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
3165 type: string
3166 solverName:
3167 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
3168 type: string
3169 http01:
3170 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
3171 type: object
3172 properties:
3173 gatewayHTTPRoute:
3174 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
3175 type: object
3176 properties:
3177 labels:
3178 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
3179 type: object
3180 additionalProperties:
3181 type: string
3182 serviceType:
3183 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
3184 type: string
3185 ingress:
3186 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
3187 type: object
3188 properties:
3189 class:
3190 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
3191 type: string
3192 ingressTemplate:
3193 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
3194 type: object
3195 properties:
3196 metadata:
3197 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
3198 type: object
3199 properties:
3200 annotations:
3201 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
3202 type: object
3203 additionalProperties:
3204 type: string
3205 labels:
3206 description: Labels that should be added to the created ACME HTTP01 solver ingress.
3207 type: object
3208 additionalProperties:
3209 type: string
3210 name:
3211 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
3212 type: string
3213 podTemplate:
3214 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
3215 type: object
3216 properties:
3217 metadata:
3218 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
3219 type: object
3220 properties:
3221 annotations:
3222 description: Annotations that should be added to the create ACME HTTP01 solver pods.
3223 type: object
3224 additionalProperties:
3225 type: string
3226 labels:
3227 description: Labels that should be added to the created ACME HTTP01 solver pods.
3228 type: object
3229 additionalProperties:
3230 type: string
3231 spec:
3232 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
3233 type: object
3234 properties:
3235 affinity:
3236 description: If specified, the pod's scheduling constraints
3237 type: object
3238 properties:
3239 nodeAffinity:
3240 description: Describes node affinity scheduling rules for the pod.
3241 type: object
3242 properties:
3243 preferredDuringSchedulingIgnoredDuringExecution:
3244 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
3245 type: array
3246 items:
3247 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
3248 type: object
3249 required:
3250 - preference
3251 - weight
3252 properties:
3253 preference:
3254 description: A node selector term, associated with the corresponding weight.
3255 type: object
3256 properties:
3257 matchExpressions:
3258 description: A list of node selector requirements by node's labels.
3259 type: array
3260 items:
3261 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3262 type: object
3263 required:
3264 - key
3265 - operator
3266 properties:
3267 key:
3268 description: The label key that the selector applies to.
3269 type: string
3270 operator:
3271 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
3272 type: string
3273 values:
3274 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
3275 type: array
3276 items:
3277 type: string
3278 matchFields:
3279 description: A list of node selector requirements by node's fields.
3280 type: array
3281 items:
3282 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3283 type: object
3284 required:
3285 - key
3286 - operator
3287 properties:
3288 key:
3289 description: The label key that the selector applies to.
3290 type: string
3291 operator:
3292 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
3293 type: string
3294 values:
3295 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
3296 type: array
3297 items:
3298 type: string
3299 weight:
3300 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
3301 type: integer
3302 format: int32
3303 requiredDuringSchedulingIgnoredDuringExecution:
3304 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
3305 type: object
3306 required:
3307 - nodeSelectorTerms
3308 properties:
3309 nodeSelectorTerms:
3310 description: Required. A list of node selector terms. The terms are ORed.
3311 type: array
3312 items:
3313 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
3314 type: object
3315 properties:
3316 matchExpressions:
3317 description: A list of node selector requirements by node's labels.
3318 type: array
3319 items:
3320 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3321 type: object
3322 required:
3323 - key
3324 - operator
3325 properties:
3326 key:
3327 description: The label key that the selector applies to.
3328 type: string
3329 operator:
3330 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
3331 type: string
3332 values:
3333 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
3334 type: array
3335 items:
3336 type: string
3337 matchFields:
3338 description: A list of node selector requirements by node's fields.
3339 type: array
3340 items:
3341 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3342 type: object
3343 required:
3344 - key
3345 - operator
3346 properties:
3347 key:
3348 description: The label key that the selector applies to.
3349 type: string
3350 operator:
3351 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
3352 type: string
3353 values:
3354 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
3355 type: array
3356 items:
3357 type: string
3358 podAffinity:
3359 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
3360 type: object
3361 properties:
3362 preferredDuringSchedulingIgnoredDuringExecution:
3363 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
3364 type: array
3365 items:
3366 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
3367 type: object
3368 required:
3369 - podAffinityTerm
3370 - weight
3371 properties:
3372 podAffinityTerm:
3373 description: Required. A pod affinity term, associated with the corresponding weight.
3374 type: object
3375 required:
3376 - topologyKey
3377 properties:
3378 labelSelector:
3379 description: A label query over a set of resources, in this case pods.
3380 type: object
3381 properties:
3382 matchExpressions:
3383 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3384 type: array
3385 items:
3386 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3387 type: object
3388 required:
3389 - key
3390 - operator
3391 properties:
3392 key:
3393 description: key is the label key that the selector applies to.
3394 type: string
3395 operator:
3396 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3397 type: string
3398 values:
3399 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3400 type: array
3401 items:
3402 type: string
3403 matchLabels:
3404 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3405 type: object
3406 additionalProperties:
3407 type: string
3408 namespaceSelector:
3409 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
3410 type: object
3411 properties:
3412 matchExpressions:
3413 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3414 type: array
3415 items:
3416 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3417 type: object
3418 required:
3419 - key
3420 - operator
3421 properties:
3422 key:
3423 description: key is the label key that the selector applies to.
3424 type: string
3425 operator:
3426 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3427 type: string
3428 values:
3429 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3430 type: array
3431 items:
3432 type: string
3433 matchLabels:
3434 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3435 type: object
3436 additionalProperties:
3437 type: string
3438 namespaces:
3439 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
3440 type: array
3441 items:
3442 type: string
3443 topologyKey:
3444 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
3445 type: string
3446 weight:
3447 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
3448 type: integer
3449 format: int32
3450 requiredDuringSchedulingIgnoredDuringExecution:
3451 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
3452 type: array
3453 items:
3454 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
3455 type: object
3456 required:
3457 - topologyKey
3458 properties:
3459 labelSelector:
3460 description: A label query over a set of resources, in this case pods.
3461 type: object
3462 properties:
3463 matchExpressions:
3464 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3465 type: array
3466 items:
3467 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3468 type: object
3469 required:
3470 - key
3471 - operator
3472 properties:
3473 key:
3474 description: key is the label key that the selector applies to.
3475 type: string
3476 operator:
3477 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3478 type: string
3479 values:
3480 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3481 type: array
3482 items:
3483 type: string
3484 matchLabels:
3485 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3486 type: object
3487 additionalProperties:
3488 type: string
3489 namespaceSelector:
3490 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
3491 type: object
3492 properties:
3493 matchExpressions:
3494 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3495 type: array
3496 items:
3497 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3498 type: object
3499 required:
3500 - key
3501 - operator
3502 properties:
3503 key:
3504 description: key is the label key that the selector applies to.
3505 type: string
3506 operator:
3507 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3508 type: string
3509 values:
3510 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3511 type: array
3512 items:
3513 type: string
3514 matchLabels:
3515 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3516 type: object
3517 additionalProperties:
3518 type: string
3519 namespaces:
3520 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
3521 type: array
3522 items:
3523 type: string
3524 topologyKey:
3525 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
3526 type: string
3527 podAntiAffinity:
3528 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
3529 type: object
3530 properties:
3531 preferredDuringSchedulingIgnoredDuringExecution:
3532 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
3533 type: array
3534 items:
3535 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
3536 type: object
3537 required:
3538 - podAffinityTerm
3539 - weight
3540 properties:
3541 podAffinityTerm:
3542 description: Required. A pod affinity term, associated with the corresponding weight.
3543 type: object
3544 required:
3545 - topologyKey
3546 properties:
3547 labelSelector:
3548 description: A label query over a set of resources, in this case pods.
3549 type: object
3550 properties:
3551 matchExpressions:
3552 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3553 type: array
3554 items:
3555 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3556 type: object
3557 required:
3558 - key
3559 - operator
3560 properties:
3561 key:
3562 description: key is the label key that the selector applies to.
3563 type: string
3564 operator:
3565 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3566 type: string
3567 values:
3568 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3569 type: array
3570 items:
3571 type: string
3572 matchLabels:
3573 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3574 type: object
3575 additionalProperties:
3576 type: string
3577 namespaceSelector:
3578 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
3579 type: object
3580 properties:
3581 matchExpressions:
3582 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3583 type: array
3584 items:
3585 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3586 type: object
3587 required:
3588 - key
3589 - operator
3590 properties:
3591 key:
3592 description: key is the label key that the selector applies to.
3593 type: string
3594 operator:
3595 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3596 type: string
3597 values:
3598 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3599 type: array
3600 items:
3601 type: string
3602 matchLabels:
3603 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3604 type: object
3605 additionalProperties:
3606 type: string
3607 namespaces:
3608 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
3609 type: array
3610 items:
3611 type: string
3612 topologyKey:
3613 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
3614 type: string
3615 weight:
3616 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
3617 type: integer
3618 format: int32
3619 requiredDuringSchedulingIgnoredDuringExecution:
3620 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
3621 type: array
3622 items:
3623 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
3624 type: object
3625 required:
3626 - topologyKey
3627 properties:
3628 labelSelector:
3629 description: A label query over a set of resources, in this case pods.
3630 type: object
3631 properties:
3632 matchExpressions:
3633 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3634 type: array
3635 items:
3636 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3637 type: object
3638 required:
3639 - key
3640 - operator
3641 properties:
3642 key:
3643 description: key is the label key that the selector applies to.
3644 type: string
3645 operator:
3646 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3647 type: string
3648 values:
3649 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3650 type: array
3651 items:
3652 type: string
3653 matchLabels:
3654 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3655 type: object
3656 additionalProperties:
3657 type: string
3658 namespaceSelector:
3659 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
3660 type: object
3661 properties:
3662 matchExpressions:
3663 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3664 type: array
3665 items:
3666 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3667 type: object
3668 required:
3669 - key
3670 - operator
3671 properties:
3672 key:
3673 description: key is the label key that the selector applies to.
3674 type: string
3675 operator:
3676 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3677 type: string
3678 values:
3679 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3680 type: array
3681 items:
3682 type: string
3683 matchLabels:
3684 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3685 type: object
3686 additionalProperties:
3687 type: string
3688 namespaces:
3689 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
3690 type: array
3691 items:
3692 type: string
3693 topologyKey:
3694 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
3695 type: string
3696 nodeSelector:
3697 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
3698 type: object
3699 additionalProperties:
3700 type: string
3701 priorityClassName:
3702 description: If specified, the pod's priorityClassName.
3703 type: string
3704 serviceAccountName:
3705 description: If specified, the pod's service account
3706 type: string
3707 tolerations:
3708 description: If specified, the pod's tolerations.
3709 type: array
3710 items:
3711 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
3712 type: object
3713 properties:
3714 effect:
3715 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
3716 type: string
3717 key:
3718 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
3719 type: string
3720 operator:
3721 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
3722 type: string
3723 tolerationSeconds:
3724 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
3725 type: integer
3726 format: int64
3727 value:
3728 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
3729 type: string
3730 serviceType:
3731 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
3732 type: string
3733 selector:
3734 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
3735 type: object
3736 properties:
3737 dnsNames:
3738 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
3739 type: array
3740 items:
3741 type: string
3742 dnsZones:
3743 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
3744 type: array
3745 items:
3746 type: string
3747 matchLabels:
3748 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
3749 type: object
3750 additionalProperties:
3751 type: string
3752 ca:
3753 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
3754 type: object
3755 required:
3756 - secretName
3757 properties:
3758 crlDistributionPoints:
3759 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
3760 type: array
3761 items:
3762 type: string
3763 ocspServers:
3764 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
3765 type: array
3766 items:
3767 type: string
3768 secretName:
3769 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
3770 type: string
3771 selfSigned:
3772 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
3773 type: object
3774 properties:
3775 crlDistributionPoints:
3776 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
3777 type: array
3778 items:
3779 type: string
3780 vault:
3781 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
3782 type: object
3783 required:
3784 - auth
3785 - path
3786 - server
3787 properties:
3788 auth:
3789 description: Auth configures how cert-manager authenticates with the Vault server.
3790 type: object
3791 properties:
3792 appRole:
3793 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
3794 type: object
3795 required:
3796 - path
3797 - roleId
3798 - secretRef
3799 properties:
3800 path:
3801 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
3802 type: string
3803 roleId:
3804 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
3805 type: string
3806 secretRef:
3807 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
3808 type: object
3809 required:
3810 - name
3811 properties:
3812 key:
3813 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3814 type: string
3815 name:
3816 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3817 type: string
3818 kubernetes:
3819 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
3820 type: object
3821 required:
3822 - role
3823 - secretRef
3824 properties:
3825 mountPath:
3826 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
3827 type: string
3828 role:
3829 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
3830 type: string
3831 secretRef:
3832 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
3833 type: object
3834 required:
3835 - name
3836 properties:
3837 key:
3838 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3839 type: string
3840 name:
3841 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3842 type: string
3843 tokenSecretRef:
3844 description: TokenSecretRef authenticates with Vault by presenting a token.
3845 type: object
3846 required:
3847 - name
3848 properties:
3849 key:
3850 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3851 type: string
3852 name:
3853 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3854 type: string
3855 caBundle:
3856 description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
3857 type: string
3858 format: byte
3859 namespace:
3860 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
3861 type: string
3862 path:
3863 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
3864 type: string
3865 server:
3866 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
3867 type: string
3868 venafi:
3869 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
3870 type: object
3871 required:
3872 - zone
3873 properties:
3874 cloud:
3875 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
3876 type: object
3877 required:
3878 - apiTokenSecretRef
3879 properties:
3880 apiTokenSecretRef:
3881 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
3882 type: object
3883 required:
3884 - name
3885 properties:
3886 key:
3887 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3888 type: string
3889 name:
3890 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3891 type: string
3892 url:
3893 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
3894 type: string
3895 tpp:
3896 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
3897 type: object
3898 required:
3899 - credentialsRef
3900 - url
3901 properties:
3902 caBundle:
3903 description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
3904 type: string
3905 format: byte
3906 credentialsRef:
3907 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
3908 type: object
3909 required:
3910 - name
3911 properties:
3912 name:
3913 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3914 type: string
3915 url:
3916 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
3917 type: string
3918 zone:
3919 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
3920 type: string
3921 status:
3922 description: Status of the Issuer. This is set and managed automatically.
3923 type: object
3924 properties:
3925 acme:
3926 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
3927 type: object
3928 properties:
3929 lastRegisteredEmail:
3930 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
3931 type: string
3932 uri:
3933 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
3934 type: string
3935 conditions:
3936 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
3937 type: array
3938 items:
3939 description: IssuerCondition contains condition information for an Issuer.
3940 type: object
3941 required:
3942 - status
3943 - type
3944 properties:
3945 lastTransitionTime:
3946 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
3947 type: string
3948 format: date-time
3949 message:
3950 description: Message is a human readable description of the details of the last transition, complementing reason.
3951 type: string
3952 observedGeneration:
3953 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
3954 type: integer
3955 format: int64
3956 reason:
3957 description: Reason is a brief machine readable explanation for the condition's last transition.
3958 type: string
3959 status:
3960 description: Status of the condition, one of (`True`, `False`, `Unknown`).
3961 type: string
3962 enum:
3963 - "True"
3964 - "False"
3965 - Unknown
3966 type:
3967 description: Type of the condition, known values are (`Ready`).
3968 type: string
3969 served: true
3970 storage: true
3971---
3972apiVersion: apiextensions.k8s.io/v1
3973kind: CustomResourceDefinition
3974metadata:
3975 name: orders.acme.cert-manager.io
3976 annotations:
3977 cert-manager.io/inject-ca-from-secret: '{{ template "webhook.caRef" . }}'
3978 labels:
3979 app: '{{ template "cert-manager.name" . }}'
3980 app.kubernetes.io/name: '{{ template "cert-manager.name" . }}'
3981 app.kubernetes.io/instance: '{{ .Release.Name }}'
3982 # Generated labels {{- include "labels" . | nindent 4 }}
3983spec:
3984 group: acme.cert-manager.io
3985 names:
3986 kind: Order
3987 listKind: OrderList
3988 plural: orders
3989 singular: order
3990 categories:
3991 - cert-manager
3992 - cert-manager-acme
3993 scope: Namespaced
3994 versions:
3995 - name: v1
3996 subresources:
3997 status: {}
3998 additionalPrinterColumns:
3999 - jsonPath: .status.state
4000 name: State
4001 type: string
4002 - jsonPath: .spec.issuerRef.name
4003 name: Issuer
4004 priority: 1
4005 type: string
4006 - jsonPath: .status.reason
4007 name: Reason
4008 priority: 1
4009 type: string
4010 - jsonPath: .metadata.creationTimestamp
4011 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
4012 name: Age
4013 type: date
4014 schema:
4015 openAPIV3Schema:
4016 description: Order is a type to represent an Order with an ACME server
4017 type: object
4018 required:
4019 - metadata
4020 - spec
4021 properties:
4022 apiVersion:
4023 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
4024 type: string
4025 kind:
4026 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
4027 type: string
4028 metadata:
4029 type: object
4030 spec:
4031 type: object
4032 required:
4033 - issuerRef
4034 - request
4035 properties:
4036 commonName:
4037 description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
4038 type: string
4039 dnsNames:
4040 description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
4041 type: array
4042 items:
4043 type: string
4044 duration:
4045 description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
4046 type: string
4047 ipAddresses:
4048 description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
4049 type: array
4050 items:
4051 type: string
4052 issuerRef:
4053 description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
4054 type: object
4055 required:
4056 - name
4057 properties:
4058 group:
4059 description: Group of the resource being referred to.
4060 type: string
4061 kind:
4062 description: Kind of the resource being referred to.
4063 type: string
4064 name:
4065 description: Name of the resource being referred to.
4066 type: string
4067 request:
4068 description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
4069 type: string
4070 format: byte
4071 status:
4072 type: object
4073 properties:
4074 authorizations:
4075 description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.
4076 type: array
4077 items:
4078 description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
4079 type: object
4080 required:
4081 - url
4082 properties:
4083 challenges:
4084 description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
4085 type: array
4086 items:
4087 description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
4088 type: object
4089 required:
4090 - token
4091 - type
4092 - url
4093 properties:
4094 token:
4095 description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
4096 type: string
4097 type:
4098 description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.
4099 type: string
4100 url:
4101 description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
4102 type: string
4103 identifier:
4104 description: Identifier is the DNS name to be validated as part of this authorization
4105 type: string
4106 initialState:
4107 description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.
4108 type: string
4109 enum:
4110 - valid
4111 - ready
4112 - pending
4113 - processing
4114 - invalid
4115 - expired
4116 - errored
4117 url:
4118 description: URL is the URL of the Authorization that must be completed
4119 type: string
4120 wildcard:
4121 description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
4122 type: boolean
4123 certificate:
4124 description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
4125 type: string
4126 format: byte
4127 failureTime:
4128 description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
4129 type: string
4130 format: date-time
4131 finalizeURL:
4132 description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
4133 type: string
4134 reason:
4135 description: Reason optionally provides more information about a why the order is in the current state.
4136 type: string
4137 state:
4138 description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
4139 type: string
4140 enum:
4141 - valid
4142 - ready
4143 - pending
4144 - processing
4145 - invalid
4146 - expired
4147 - errored
4148 url:
4149 description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
4150 type: string
4151 served: true
4152 storage: true
4153---
4154{{- end }}