1apiVersion: v1
2kind: Namespace
3metadata:
4 name: cert-manager
5 annotations:
6 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
7 pallet.edge.ncr.com/name: cert-manager
8 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
9 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
10 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
11 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
12 labels: {}
13---
14# Source: cert-manager/templates/templates.out
15apiVersion: apiextensions.k8s.io/v1
16kind: CustomResourceDefinition
17metadata:
18 name: certificaterequests.cert-manager.io
19 labels:
20 app: 'cert-manager'
21 app.kubernetes.io/instance: 'cert-manager'
22 app.kubernetes.io/name: 'cert-manager'
23 # Generated labels
24 app.kubernetes.io/version: "v1.5.4"
25 annotations:
26 cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
27 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
28 pallet.edge.ncr.com/name: cert-manager
29 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
30 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
31 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
32 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
33spec:
34 conversion:
35 # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
36 strategy: Webhook
37 # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
38 webhook:
39 clientConfig:
40 #
41 service:
42 name: 'cert-manager-webhook'
43 namespace: "cert-manager"
44 path: /convert
45 #
46 # We don't actually support `v1beta1` but is listed here as it is a
47 # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The
48 # API server reads the supported versions in order, so _should always_
49 # attempt a `v1` request which is understood by the cert-manager webhook.
50 # Any `v1beta1` request will return an error and fail closed for that
51 # resource (the whole object request is rejected).
52 # When we no longer support v1.16 we can remove `v1beta1` from this list.
53 conversionReviewVersions: ["v1", "v1beta1"]
54 group: cert-manager.io
55 names:
56 kind: CertificateRequest
57 categories:
58 - cert-manager
59 listKind: CertificateRequestList
60 plural: certificaterequests
61 shortNames:
62 - cr
63 - crs
64 singular: certificaterequest
65 scope: Namespaced
66 versions:
67 - name: v1
68 additionalPrinterColumns:
69 - name: Approved
70 type: string
71 jsonPath: .status.conditions[?(@.type=="Approved")].status
72 - name: Denied
73 type: string
74 jsonPath: .status.conditions[?(@.type=="Denied")].status
75 - name: Ready
76 type: string
77 jsonPath: .status.conditions[?(@.type=="Ready")].status
78 - name: Issuer
79 type: string
80 jsonPath: .spec.issuerRef.name
81 - name: Requestor
82 type: string
83 jsonPath: .spec.username
84 - name: Status
85 type: string
86 priority: 1
87 jsonPath: .status.conditions[?(@.type=="Ready")].message
88 - name: Age
89 type: date
90 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
91 jsonPath: .metadata.creationTimestamp
92 schema:
93 openAPIV3Schema:
94 type: object
95 description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used."
96 properties:
97 apiVersion:
98 type: string
99 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
100 kind:
101 type: string
102 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
103 metadata:
104 type: object
105 spec:
106 type: object
107 description: Desired state of the CertificateRequest resource.
108 properties:
109 duration:
110 type: string
111 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types.
112 extra:
113 type: object
114 additionalProperties:
115 type: array
116 items:
117 type: string
118 description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
119 groups:
120 type: array
121 description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
122 items:
123 type: string
124 x-kubernetes-list-type: atomic
125 isCA:
126 type: boolean
127 description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`.
128 issuerRef:
129 type: object
130 description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty.
131 properties:
132 name:
133 type: string
134 description: Name of the resource being referred to.
135 kind:
136 type: string
137 description: Kind of the resource being referred to.
138 group:
139 type: string
140 description: Group of the resource being referred to.
141 required:
142 - name
143 request:
144 type: string
145 description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing.
146 format: byte
147 uid:
148 type: string
149 description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
150 usages:
151 type: array
152 description: Usages is the set of x509 usages that are requested for the certificate. If usages are set they SHOULD be encoded inside the CSR spec Defaults to `digital signature` and `key encipherment` if not specified.
153 items:
154 type: string
155 description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
156 enum:
157 - signing
158 - digital signature
159 - content commitment
160 - key encipherment
161 - key agreement
162 - data encipherment
163 - cert sign
164 - crl sign
165 - encipher only
166 - decipher only
167 - any
168 - server auth
169 - client auth
170 - code signing
171 - email protection
172 - s/mime
173 - ipsec end system
174 - ipsec tunnel
175 - ipsec user
176 - timestamping
177 - ocsp signing
178 - microsoft sgc
179 - netscape sgc
180 username:
181 type: string
182 description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
183 required:
184 - issuerRef
185 - request
186 status:
187 type: object
188 description: Status of the CertificateRequest. This is set and managed automatically.
189 properties:
190 ca:
191 type: string
192 description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.
193 format: byte
194 certificate:
195 type: string
196 description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.
197 format: byte
198 conditions:
199 type: array
200 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
201 items:
202 type: object
203 description: CertificateRequestCondition contains condition information for a CertificateRequest.
204 properties:
205 type:
206 type: string
207 description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
208 status:
209 type: string
210 description: Status of the condition, one of (`True`, `False`, `Unknown`).
211 enum:
212 - "True"
213 - "False"
214 - Unknown
215 lastTransitionTime:
216 type: string
217 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
218 format: date-time
219 message:
220 type: string
221 description: Message is a human readable description of the details of the last transition, complementing reason.
222 reason:
223 type: string
224 description: Reason is a brief machine readable explanation for the condition's last transition.
225 required:
226 - status
227 - type
228 failureTime:
229 type: string
230 description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
231 format: date-time
232 required:
233 - spec
234 served: true
235 storage: true
236 subresources:
237 status: {}
238 - name: v1alpha2
239 additionalPrinterColumns:
240 - name: Approved
241 type: string
242 jsonPath: .status.conditions[?(@.type=="Approved")].status
243 - name: Denied
244 type: string
245 jsonPath: .status.conditions[?(@.type=="Denied")].status
246 - name: Ready
247 type: string
248 jsonPath: .status.conditions[?(@.type=="Ready")].status
249 - name: Issuer
250 type: string
251 jsonPath: .spec.issuerRef.name
252 - name: Requestor
253 type: string
254 jsonPath: .spec.username
255 - name: Status
256 type: string
257 priority: 1
258 jsonPath: .status.conditions[?(@.type=="Ready")].message
259 - name: Age
260 type: date
261 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
262 jsonPath: .metadata.creationTimestamp
263 schema:
264 openAPIV3Schema:
265 type: object
266 description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used."
267 properties:
268 apiVersion:
269 type: string
270 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
271 kind:
272 type: string
273 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
274 metadata:
275 type: object
276 spec:
277 type: object
278 description: Desired state of the CertificateRequest resource.
279 properties:
280 csr:
281 type: string
282 description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing.
283 format: byte
284 duration:
285 type: string
286 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types.
287 extra:
288 type: object
289 additionalProperties:
290 type: array
291 items:
292 type: string
293 description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
294 groups:
295 type: array
296 description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
297 items:
298 type: string
299 x-kubernetes-list-type: atomic
300 isCA:
301 type: boolean
302 description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`.
303 issuerRef:
304 type: object
305 description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty.
306 properties:
307 name:
308 type: string
309 description: Name of the resource being referred to.
310 kind:
311 type: string
312 description: Kind of the resource being referred to.
313 group:
314 type: string
315 description: Group of the resource being referred to.
316 required:
317 - name
318 uid:
319 type: string
320 description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
321 usages:
322 type: array
323 description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
324 items:
325 type: string
326 description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
327 enum:
328 - signing
329 - digital signature
330 - content commitment
331 - key encipherment
332 - key agreement
333 - data encipherment
334 - cert sign
335 - crl sign
336 - encipher only
337 - decipher only
338 - any
339 - server auth
340 - client auth
341 - code signing
342 - email protection
343 - s/mime
344 - ipsec end system
345 - ipsec tunnel
346 - ipsec user
347 - timestamping
348 - ocsp signing
349 - microsoft sgc
350 - netscape sgc
351 username:
352 type: string
353 description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
354 required:
355 - csr
356 - issuerRef
357 status:
358 type: object
359 description: Status of the CertificateRequest. This is set and managed automatically.
360 properties:
361 ca:
362 type: string
363 description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.
364 format: byte
365 certificate:
366 type: string
367 description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.
368 format: byte
369 conditions:
370 type: array
371 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
372 items:
373 type: object
374 description: CertificateRequestCondition contains condition information for a CertificateRequest.
375 properties:
376 type:
377 type: string
378 description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
379 status:
380 type: string
381 description: Status of the condition, one of (`True`, `False`, `Unknown`).
382 enum:
383 - "True"
384 - "False"
385 - Unknown
386 lastTransitionTime:
387 type: string
388 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
389 format: date-time
390 message:
391 type: string
392 description: Message is a human readable description of the details of the last transition, complementing reason.
393 reason:
394 type: string
395 description: Reason is a brief machine readable explanation for the condition's last transition.
396 required:
397 - status
398 - type
399 failureTime:
400 type: string
401 description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
402 format: date-time
403 served: true
404 storage: false
405 subresources:
406 status: {}
407 - name: v1alpha3
408 additionalPrinterColumns:
409 - name: Approved
410 type: string
411 jsonPath: .status.conditions[?(@.type=="Approved")].status
412 - name: Denied
413 type: string
414 jsonPath: .status.conditions[?(@.type=="Denied")].status
415 - name: Ready
416 type: string
417 jsonPath: .status.conditions[?(@.type=="Ready")].status
418 - name: Issuer
419 type: string
420 jsonPath: .spec.issuerRef.name
421 - name: Requestor
422 type: string
423 jsonPath: .spec.username
424 - name: Status
425 type: string
426 priority: 1
427 jsonPath: .status.conditions[?(@.type=="Ready")].message
428 - name: Age
429 type: date
430 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
431 jsonPath: .metadata.creationTimestamp
432 schema:
433 openAPIV3Schema:
434 type: object
435 description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used."
436 properties:
437 apiVersion:
438 type: string
439 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
440 kind:
441 type: string
442 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
443 metadata:
444 type: object
445 spec:
446 type: object
447 description: Desired state of the CertificateRequest resource.
448 properties:
449 csr:
450 type: string
451 description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing.
452 format: byte
453 duration:
454 type: string
455 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types.
456 extra:
457 type: object
458 additionalProperties:
459 type: array
460 items:
461 type: string
462 description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
463 groups:
464 type: array
465 description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
466 items:
467 type: string
468 x-kubernetes-list-type: atomic
469 isCA:
470 type: boolean
471 description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`.
472 issuerRef:
473 type: object
474 description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty.
475 properties:
476 name:
477 type: string
478 description: Name of the resource being referred to.
479 kind:
480 type: string
481 description: Kind of the resource being referred to.
482 group:
483 type: string
484 description: Group of the resource being referred to.
485 required:
486 - name
487 uid:
488 type: string
489 description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
490 usages:
491 type: array
492 description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
493 items:
494 type: string
495 description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
496 enum:
497 - signing
498 - digital signature
499 - content commitment
500 - key encipherment
501 - key agreement
502 - data encipherment
503 - cert sign
504 - crl sign
505 - encipher only
506 - decipher only
507 - any
508 - server auth
509 - client auth
510 - code signing
511 - email protection
512 - s/mime
513 - ipsec end system
514 - ipsec tunnel
515 - ipsec user
516 - timestamping
517 - ocsp signing
518 - microsoft sgc
519 - netscape sgc
520 username:
521 type: string
522 description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
523 required:
524 - csr
525 - issuerRef
526 status:
527 type: object
528 description: Status of the CertificateRequest. This is set and managed automatically.
529 properties:
530 ca:
531 type: string
532 description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.
533 format: byte
534 certificate:
535 type: string
536 description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.
537 format: byte
538 conditions:
539 type: array
540 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
541 items:
542 type: object
543 description: CertificateRequestCondition contains condition information for a CertificateRequest.
544 properties:
545 type:
546 type: string
547 description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
548 status:
549 type: string
550 description: Status of the condition, one of (`True`, `False`, `Unknown`).
551 enum:
552 - "True"
553 - "False"
554 - Unknown
555 lastTransitionTime:
556 type: string
557 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
558 format: date-time
559 message:
560 type: string
561 description: Message is a human readable description of the details of the last transition, complementing reason.
562 reason:
563 type: string
564 description: Reason is a brief machine readable explanation for the condition's last transition.
565 required:
566 - status
567 - type
568 failureTime:
569 type: string
570 description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
571 format: date-time
572 served: true
573 storage: false
574 subresources:
575 status: {}
576 - name: v1beta1
577 additionalPrinterColumns:
578 - name: Approved
579 type: string
580 jsonPath: .status.conditions[?(@.type=="Approved")].status
581 - name: Denied
582 type: string
583 jsonPath: .status.conditions[?(@.type=="Denied")].status
584 - name: Ready
585 type: string
586 jsonPath: .status.conditions[?(@.type=="Ready")].status
587 - name: Issuer
588 type: string
589 jsonPath: .spec.issuerRef.name
590 - name: Requestor
591 type: string
592 jsonPath: .spec.username
593 - name: Status
594 type: string
595 priority: 1
596 jsonPath: .status.conditions[?(@.type=="Ready")].message
597 - name: Age
598 type: date
599 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
600 jsonPath: .metadata.creationTimestamp
601 schema:
602 openAPIV3Schema:
603 type: object
604 description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used."
605 properties:
606 apiVersion:
607 type: string
608 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
609 kind:
610 type: string
611 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
612 metadata:
613 type: object
614 spec:
615 type: object
616 description: Desired state of the CertificateRequest resource.
617 properties:
618 duration:
619 type: string
620 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types.
621 extra:
622 type: object
623 additionalProperties:
624 type: array
625 items:
626 type: string
627 description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
628 groups:
629 type: array
630 description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
631 items:
632 type: string
633 x-kubernetes-list-type: atomic
634 isCA:
635 type: boolean
636 description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`.
637 issuerRef:
638 type: object
639 description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty.
640 properties:
641 name:
642 type: string
643 description: Name of the resource being referred to.
644 kind:
645 type: string
646 description: Kind of the resource being referred to.
647 group:
648 type: string
649 description: Group of the resource being referred to.
650 required:
651 - name
652 request:
653 type: string
654 description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing.
655 format: byte
656 uid:
657 type: string
658 description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
659 usages:
660 type: array
661 description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
662 items:
663 type: string
664 description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
665 enum:
666 - signing
667 - digital signature
668 - content commitment
669 - key encipherment
670 - key agreement
671 - data encipherment
672 - cert sign
673 - crl sign
674 - encipher only
675 - decipher only
676 - any
677 - server auth
678 - client auth
679 - code signing
680 - email protection
681 - s/mime
682 - ipsec end system
683 - ipsec tunnel
684 - ipsec user
685 - timestamping
686 - ocsp signing
687 - microsoft sgc
688 - netscape sgc
689 username:
690 type: string
691 description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
692 required:
693 - issuerRef
694 - request
695 status:
696 type: object
697 description: Status of the CertificateRequest. This is set and managed automatically.
698 properties:
699 ca:
700 type: string
701 description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.
702 format: byte
703 certificate:
704 type: string
705 description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.
706 format: byte
707 conditions:
708 type: array
709 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
710 items:
711 type: object
712 description: CertificateRequestCondition contains condition information for a CertificateRequest.
713 properties:
714 type:
715 type: string
716 description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
717 status:
718 type: string
719 description: Status of the condition, one of (`True`, `False`, `Unknown`).
720 enum:
721 - "True"
722 - "False"
723 - Unknown
724 lastTransitionTime:
725 type: string
726 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
727 format: date-time
728 message:
729 type: string
730 description: Message is a human readable description of the details of the last transition, complementing reason.
731 reason:
732 type: string
733 description: Reason is a brief machine readable explanation for the condition's last transition.
734 required:
735 - status
736 - type
737 failureTime:
738 type: string
739 description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
740 format: date-time
741 required:
742 - spec
743 served: true
744 storage: false
745 subresources:
746 status: {}
747---
748# Source: cert-manager/templates/templates.out
749apiVersion: apiextensions.k8s.io/v1
750kind: CustomResourceDefinition
751metadata:
752 name: certificates.cert-manager.io
753 labels:
754 app: 'cert-manager'
755 app.kubernetes.io/instance: 'cert-manager'
756 app.kubernetes.io/name: 'cert-manager'
757 # Generated labels
758 app.kubernetes.io/version: "v1.5.4"
759 annotations:
760 cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
761 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
762 pallet.edge.ncr.com/name: cert-manager
763 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
764 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
765 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
766 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
767spec:
768 conversion:
769 # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
770 strategy: Webhook
771 # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
772 webhook:
773 clientConfig:
774 #
775 service:
776 name: 'cert-manager-webhook'
777 namespace: "cert-manager"
778 path: /convert
779 #
780 # We don't actually support `v1beta1` but is listed here as it is a
781 # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The
782 # API server reads the supported versions in order, so _should always_
783 # attempt a `v1` request which is understood by the cert-manager webhook.
784 # Any `v1beta1` request will return an error and fail closed for that
785 # resource (the whole object request is rejected).
786 # When we no longer support v1.16 we can remove `v1beta1` from this list.
787 conversionReviewVersions: ["v1", "v1beta1"]
788 group: cert-manager.io
789 names:
790 kind: Certificate
791 categories:
792 - cert-manager
793 listKind: CertificateList
794 plural: certificates
795 shortNames:
796 - cert
797 - certs
798 singular: certificate
799 scope: Namespaced
800 versions:
801 - name: v1
802 additionalPrinterColumns:
803 - name: Ready
804 type: string
805 jsonPath: .status.conditions[?(@.type=="Ready")].status
806 - name: Secret
807 type: string
808 jsonPath: .spec.secretName
809 - name: Issuer
810 type: string
811 priority: 1
812 jsonPath: .spec.issuerRef.name
813 - name: Status
814 type: string
815 priority: 1
816 jsonPath: .status.conditions[?(@.type=="Ready")].message
817 - name: Age
818 type: date
819 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
820 jsonPath: .metadata.creationTimestamp
821 schema:
822 openAPIV3Schema:
823 type: object
824 description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)."
825 properties:
826 apiVersion:
827 type: string
828 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
829 kind:
830 type: string
831 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
832 metadata:
833 type: object
834 spec:
835 type: object
836 description: Desired state of the Certificate resource.
837 properties:
838 revisionHistoryLimit:
839 type: integer
840 description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`.
841 format: int32
842 commonName:
843 type: string
844 description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
845 dnsNames:
846 type: array
847 description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate.
848 items:
849 type: string
850 duration:
851 type: string
852 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
853 emailAddresses:
854 type: array
855 description: EmailAddresses is a list of email subjectAltNames to be set on the Certificate.
856 items:
857 type: string
858 encodeUsagesInRequest:
859 type: boolean
860 description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest
861 ipAddresses:
862 type: array
863 description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
864 items:
865 type: string
866 isCA:
867 type: boolean
868 description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`.
869 issuerRef:
870 type: object
871 description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times.
872 properties:
873 name:
874 type: string
875 description: Name of the resource being referred to.
876 kind:
877 type: string
878 description: Kind of the resource being referred to.
879 group:
880 type: string
881 description: Group of the resource being referred to.
882 required:
883 - name
884 keystores:
885 type: object
886 description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource.
887 properties:
888 jks:
889 type: object
890 description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource.
891 properties:
892 create:
893 type: boolean
894 description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority
895 passwordSecretRef:
896 type: object
897 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore.
898 properties:
899 name:
900 type: string
901 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
902 key:
903 type: string
904 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
905 required:
906 - name
907 required:
908 - create
909 - passwordSecretRef
910 pkcs12:
911 type: object
912 description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource.
913 properties:
914 create:
915 type: boolean
916 description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority
917 passwordSecretRef:
918 type: object
919 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore.
920 properties:
921 name:
922 type: string
923 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
924 key:
925 type: string
926 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
927 required:
928 - name
929 required:
930 - create
931 - passwordSecretRef
932 privateKey:
933 type: object
934 description: Options to control private keys used for the Certificate.
935 properties:
936 algorithm:
937 type: string
938 description: Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified and `size` is not provided, key size of 256 will be used for `ECDSA` key algorithm and key size of 2048 will be used for `RSA` key algorithm. key size is ignored when using the `Ed25519` key algorithm.
939 enum:
940 - RSA
941 - ECDSA
942 - Ed25519
943 encoding:
944 type: string
945 description: The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified.
946 enum:
947 - PKCS1
948 - PKCS8
949 rotationPolicy:
950 type: string
951 description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility.
952 size:
953 type: integer
954 description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed.
955 renewBefore:
956 type: string
957 description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
958 secretName:
959 type: string
960 description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer.
961 secretTemplate:
962 type: object
963 description: SecretTemplate defines annotations and labels to be propagated to the Kubernetes Secret when it is created or updated. Once created, labels and annotations are not yet removed from the Secret when they are removed from the template. See https://github.com/jetstack/cert-manager/issues/4292
964 properties:
965 labels:
966 type: object
967 additionalProperties:
968 type: string
969 description: Labels is a key value map to be copied to the target Kubernetes Secret.
970 annotations:
971 type: object
972 additionalProperties:
973 type: string
974 description: Annotations is a key value map to be copied to the target Kubernetes Secret.
975 subject:
976 type: object
977 description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
978 properties:
979 countries:
980 type: array
981 description: Countries to be used on the Certificate.
982 items:
983 type: string
984 localities:
985 type: array
986 description: Cities to be used on the Certificate.
987 items:
988 type: string
989 organizationalUnits:
990 type: array
991 description: Organizational Units to be used on the Certificate.
992 items:
993 type: string
994 organizations:
995 type: array
996 description: Organizations to be used on the Certificate.
997 items:
998 type: string
999 postalCodes:
1000 type: array
1001 description: Postal codes to be used on the Certificate.
1002 items:
1003 type: string
1004 provinces:
1005 type: array
1006 description: State/Provinces to be used on the Certificate.
1007 items:
1008 type: string
1009 serialNumber:
1010 type: string
1011 description: Serial number to be used on the Certificate.
1012 streetAddresses:
1013 type: array
1014 description: Street addresses to be used on the Certificate.
1015 items:
1016 type: string
1017 uris:
1018 type: array
1019 description: URIs is a list of URI subjectAltNames to be set on the Certificate.
1020 items:
1021 type: string
1022 usages:
1023 type: array
1024 description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
1025 items:
1026 type: string
1027 description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
1028 enum:
1029 - signing
1030 - digital signature
1031 - content commitment
1032 - key encipherment
1033 - key agreement
1034 - data encipherment
1035 - cert sign
1036 - crl sign
1037 - encipher only
1038 - decipher only
1039 - any
1040 - server auth
1041 - client auth
1042 - code signing
1043 - email protection
1044 - s/mime
1045 - ipsec end system
1046 - ipsec tunnel
1047 - ipsec user
1048 - timestamping
1049 - ocsp signing
1050 - microsoft sgc
1051 - netscape sgc
1052 required:
1053 - issuerRef
1054 - secretName
1055 status:
1056 type: object
1057 description: Status of the Certificate. This is set and managed automatically.
1058 properties:
1059 revision:
1060 type: integer
1061 description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field."
1062 conditions:
1063 type: array
1064 description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`.
1065 items:
1066 type: object
1067 description: CertificateCondition contains condition information for an Certificate.
1068 properties:
1069 type:
1070 type: string
1071 description: Type of the condition, known values are (`Ready`, `Issuing`).
1072 status:
1073 type: string
1074 description: Status of the condition, one of (`True`, `False`, `Unknown`).
1075 enum:
1076 - "True"
1077 - "False"
1078 - Unknown
1079 lastTransitionTime:
1080 type: string
1081 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
1082 format: date-time
1083 message:
1084 type: string
1085 description: Message is a human readable description of the details of the last transition, complementing reason.
1086 observedGeneration:
1087 type: integer
1088 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate.
1089 format: int64
1090 reason:
1091 type: string
1092 description: Reason is a brief machine readable explanation for the condition's last transition.
1093 required:
1094 - status
1095 - type
1096 lastFailureTime:
1097 type: string
1098 description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time.
1099 format: date-time
1100 nextPrivateKeySecretName:
1101 type: string
1102 description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False.
1103 notAfter:
1104 type: string
1105 description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`.
1106 format: date-time
1107 notBefore:
1108 type: string
1109 description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid.
1110 format: date-time
1111 renewalTime:
1112 type: string
1113 description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled.
1114 format: date-time
1115 required:
1116 - spec
1117 served: true
1118 storage: true
1119 subresources:
1120 status: {}
1121 - name: v1alpha2
1122 additionalPrinterColumns:
1123 - name: Ready
1124 type: string
1125 jsonPath: .status.conditions[?(@.type=="Ready")].status
1126 - name: Secret
1127 type: string
1128 jsonPath: .spec.secretName
1129 - name: Issuer
1130 type: string
1131 priority: 1
1132 jsonPath: .spec.issuerRef.name
1133 - name: Status
1134 type: string
1135 priority: 1
1136 jsonPath: .status.conditions[?(@.type=="Ready")].message
1137 - name: Age
1138 type: date
1139 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
1140 jsonPath: .metadata.creationTimestamp
1141 schema:
1142 openAPIV3Schema:
1143 type: object
1144 description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)."
1145 properties:
1146 apiVersion:
1147 type: string
1148 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1149 kind:
1150 type: string
1151 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1152 metadata:
1153 type: object
1154 spec:
1155 type: object
1156 description: Desired state of the Certificate resource.
1157 properties:
1158 revisionHistoryLimit:
1159 type: integer
1160 description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`.
1161 format: int32
1162 commonName:
1163 type: string
1164 description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
1165 dnsNames:
1166 type: array
1167 description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate.
1168 items:
1169 type: string
1170 duration:
1171 type: string
1172 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
1173 emailSANs:
1174 type: array
1175 description: EmailSANs is a list of email subjectAltNames to be set on the Certificate.
1176 items:
1177 type: string
1178 encodeUsagesInRequest:
1179 type: boolean
1180 description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest
1181 ipAddresses:
1182 type: array
1183 description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
1184 items:
1185 type: string
1186 isCA:
1187 type: boolean
1188 description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`.
1189 issuerRef:
1190 type: object
1191 description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times.
1192 properties:
1193 name:
1194 type: string
1195 description: Name of the resource being referred to.
1196 kind:
1197 type: string
1198 description: Kind of the resource being referred to.
1199 group:
1200 type: string
1201 description: Group of the resource being referred to.
1202 required:
1203 - name
1204 keyAlgorithm:
1205 type: string
1206 description: KeyAlgorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `rsa` or `ecdsa` If `keyAlgorithm` is specified and `keySize` is not provided, key size of 256 will be used for `ecdsa` key algorithm and key size of 2048 will be used for `rsa` key algorithm.
1207 enum:
1208 - rsa
1209 - ecdsa
1210 keyEncoding:
1211 type: string
1212 description: KeyEncoding is the private key cryptography standards (PKCS) for this certificate's private key to be encoded in. If provided, allowed values are `pkcs1` and `pkcs8` standing for PKCS#1 and PKCS#8, respectively. If KeyEncoding is not specified, then `pkcs1` will be used by default.
1213 enum:
1214 - pkcs1
1215 - pkcs8
1216 keySize:
1217 type: integer
1218 description: KeySize is the key bit size of the corresponding private key for this certificate. If `keyAlgorithm` is set to `rsa`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `keyAlgorithm` is set to `ecdsa`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. No other values are allowed.
1219 keystores:
1220 type: object
1221 description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource.
1222 properties:
1223 jks:
1224 type: object
1225 description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource.
1226 properties:
1227 create:
1228 type: boolean
1229 description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance.
1230 passwordSecretRef:
1231 type: object
1232 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore.
1233 properties:
1234 name:
1235 type: string
1236 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1237 key:
1238 type: string
1239 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1240 required:
1241 - name
1242 required:
1243 - create
1244 - passwordSecretRef
1245 pkcs12:
1246 type: object
1247 description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource.
1248 properties:
1249 create:
1250 type: boolean
1251 description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance.
1252 passwordSecretRef:
1253 type: object
1254 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore.
1255 properties:
1256 name:
1257 type: string
1258 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1259 key:
1260 type: string
1261 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1262 required:
1263 - name
1264 required:
1265 - create
1266 - passwordSecretRef
1267 organization:
1268 type: array
1269 description: Organization is a list of organizations to be used on the Certificate.
1270 items:
1271 type: string
1272 privateKey:
1273 type: object
1274 description: Options to control private keys used for the Certificate.
1275 properties:
1276 rotationPolicy:
1277 type: string
1278 description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility.
1279 renewBefore:
1280 type: string
1281 description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
1282 secretName:
1283 type: string
1284 description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer.
1285 secretTemplate:
1286 type: object
1287 description: SecretTemplate defines annotations and labels to be propagated to the Kubernetes Secret when it is created or updated. Once created, labels and annotations are not yet removed from the Secret when they are removed from the template. See https://github.com/jetstack/cert-manager/issues/4292
1288 properties:
1289 labels:
1290 type: object
1291 additionalProperties:
1292 type: string
1293 description: Labels is a key value map to be copied to the target Kubernetes Secret.
1294 annotations:
1295 type: object
1296 additionalProperties:
1297 type: string
1298 description: Annotations is a key value map to be copied to the target Kubernetes Secret.
1299 subject:
1300 type: object
1301 description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
1302 properties:
1303 countries:
1304 type: array
1305 description: Countries to be used on the Certificate.
1306 items:
1307 type: string
1308 localities:
1309 type: array
1310 description: Cities to be used on the Certificate.
1311 items:
1312 type: string
1313 organizationalUnits:
1314 type: array
1315 description: Organizational Units to be used on the Certificate.
1316 items:
1317 type: string
1318 postalCodes:
1319 type: array
1320 description: Postal codes to be used on the Certificate.
1321 items:
1322 type: string
1323 provinces:
1324 type: array
1325 description: State/Provinces to be used on the Certificate.
1326 items:
1327 type: string
1328 serialNumber:
1329 type: string
1330 description: Serial number to be used on the Certificate.
1331 streetAddresses:
1332 type: array
1333 description: Street addresses to be used on the Certificate.
1334 items:
1335 type: string
1336 uriSANs:
1337 type: array
1338 description: URISANs is a list of URI subjectAltNames to be set on the Certificate.
1339 items:
1340 type: string
1341 usages:
1342 type: array
1343 description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
1344 items:
1345 type: string
1346 description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
1347 enum:
1348 - signing
1349 - digital signature
1350 - content commitment
1351 - key encipherment
1352 - key agreement
1353 - data encipherment
1354 - cert sign
1355 - crl sign
1356 - encipher only
1357 - decipher only
1358 - any
1359 - server auth
1360 - client auth
1361 - code signing
1362 - email protection
1363 - s/mime
1364 - ipsec end system
1365 - ipsec tunnel
1366 - ipsec user
1367 - timestamping
1368 - ocsp signing
1369 - microsoft sgc
1370 - netscape sgc
1371 required:
1372 - issuerRef
1373 - secretName
1374 status:
1375 type: object
1376 description: Status of the Certificate. This is set and managed automatically.
1377 properties:
1378 revision:
1379 type: integer
1380 description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field."
1381 conditions:
1382 type: array
1383 description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`.
1384 items:
1385 type: object
1386 description: CertificateCondition contains condition information for an Certificate.
1387 properties:
1388 type:
1389 type: string
1390 description: Type of the condition, known values are (`Ready`, `Issuing`).
1391 status:
1392 type: string
1393 description: Status of the condition, one of (`True`, `False`, `Unknown`).
1394 enum:
1395 - "True"
1396 - "False"
1397 - Unknown
1398 lastTransitionTime:
1399 type: string
1400 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
1401 format: date-time
1402 message:
1403 type: string
1404 description: Message is a human readable description of the details of the last transition, complementing reason.
1405 observedGeneration:
1406 type: integer
1407 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate.
1408 format: int64
1409 reason:
1410 type: string
1411 description: Reason is a brief machine readable explanation for the condition's last transition.
1412 required:
1413 - status
1414 - type
1415 lastFailureTime:
1416 type: string
1417 description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time.
1418 format: date-time
1419 nextPrivateKeySecretName:
1420 type: string
1421 description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False.
1422 notAfter:
1423 type: string
1424 description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`.
1425 format: date-time
1426 notBefore:
1427 type: string
1428 description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid.
1429 format: date-time
1430 renewalTime:
1431 type: string
1432 description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled.
1433 format: date-time
1434 served: true
1435 storage: false
1436 subresources:
1437 status: {}
1438 - name: v1alpha3
1439 additionalPrinterColumns:
1440 - name: Ready
1441 type: string
1442 jsonPath: .status.conditions[?(@.type=="Ready")].status
1443 - name: Secret
1444 type: string
1445 jsonPath: .spec.secretName
1446 - name: Issuer
1447 type: string
1448 priority: 1
1449 jsonPath: .spec.issuerRef.name
1450 - name: Status
1451 type: string
1452 priority: 1
1453 jsonPath: .status.conditions[?(@.type=="Ready")].message
1454 - name: Age
1455 type: date
1456 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
1457 jsonPath: .metadata.creationTimestamp
1458 schema:
1459 openAPIV3Schema:
1460 type: object
1461 description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)."
1462 properties:
1463 apiVersion:
1464 type: string
1465 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1466 kind:
1467 type: string
1468 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1469 metadata:
1470 type: object
1471 spec:
1472 type: object
1473 description: Desired state of the Certificate resource.
1474 properties:
1475 revisionHistoryLimit:
1476 type: integer
1477 description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`.
1478 format: int32
1479 commonName:
1480 type: string
1481 description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
1482 dnsNames:
1483 type: array
1484 description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate.
1485 items:
1486 type: string
1487 duration:
1488 type: string
1489 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
1490 emailSANs:
1491 type: array
1492 description: EmailSANs is a list of email subjectAltNames to be set on the Certificate.
1493 items:
1494 type: string
1495 encodeUsagesInRequest:
1496 type: boolean
1497 description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest
1498 ipAddresses:
1499 type: array
1500 description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
1501 items:
1502 type: string
1503 isCA:
1504 type: boolean
1505 description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`.
1506 issuerRef:
1507 type: object
1508 description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times.
1509 properties:
1510 name:
1511 type: string
1512 description: Name of the resource being referred to.
1513 kind:
1514 type: string
1515 description: Kind of the resource being referred to.
1516 group:
1517 type: string
1518 description: Group of the resource being referred to.
1519 required:
1520 - name
1521 keyAlgorithm:
1522 type: string
1523 description: KeyAlgorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `rsa` or `ecdsa` If `keyAlgorithm` is specified and `keySize` is not provided, key size of 256 will be used for `ecdsa` key algorithm and key size of 2048 will be used for `rsa` key algorithm.
1524 enum:
1525 - rsa
1526 - ecdsa
1527 keyEncoding:
1528 type: string
1529 description: KeyEncoding is the private key cryptography standards (PKCS) for this certificate's private key to be encoded in. If provided, allowed values are `pkcs1` and `pkcs8` standing for PKCS#1 and PKCS#8, respectively. If KeyEncoding is not specified, then `pkcs1` will be used by default.
1530 enum:
1531 - pkcs1
1532 - pkcs8
1533 keySize:
1534 type: integer
1535 description: KeySize is the key bit size of the corresponding private key for this certificate. If `keyAlgorithm` is set to `rsa`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `keyAlgorithm` is set to `ecdsa`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. No other values are allowed.
1536 keystores:
1537 type: object
1538 description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource.
1539 properties:
1540 jks:
1541 type: object
1542 description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource.
1543 properties:
1544 create:
1545 type: boolean
1546 description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority.
1547 passwordSecretRef:
1548 type: object
1549 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore.
1550 properties:
1551 name:
1552 type: string
1553 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1554 key:
1555 type: string
1556 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1557 required:
1558 - name
1559 required:
1560 - create
1561 - passwordSecretRef
1562 pkcs12:
1563 type: object
1564 description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource.
1565 properties:
1566 create:
1567 type: boolean
1568 description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority.
1569 passwordSecretRef:
1570 type: object
1571 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore.
1572 properties:
1573 name:
1574 type: string
1575 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1576 key:
1577 type: string
1578 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1579 required:
1580 - name
1581 required:
1582 - create
1583 - passwordSecretRef
1584 privateKey:
1585 type: object
1586 description: Options to control private keys used for the Certificate.
1587 properties:
1588 rotationPolicy:
1589 type: string
1590 description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility.
1591 renewBefore:
1592 type: string
1593 description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
1594 secretName:
1595 type: string
1596 description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer.
1597 secretTemplate:
1598 type: object
1599 description: SecretTemplate defines annotations and labels to be propagated to the Kubernetes Secret when it is created or updated. Once created, labels and annotations are not yet removed from the Secret when they are removed from the template. See https://github.com/jetstack/cert-manager/issues/4292
1600 properties:
1601 labels:
1602 type: object
1603 additionalProperties:
1604 type: string
1605 description: Labels is a key value map to be copied to the target Kubernetes Secret.
1606 annotations:
1607 type: object
1608 additionalProperties:
1609 type: string
1610 description: Annotations is a key value map to be copied to the target Kubernetes Secret.
1611 subject:
1612 type: object
1613 description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
1614 properties:
1615 countries:
1616 type: array
1617 description: Countries to be used on the Certificate.
1618 items:
1619 type: string
1620 localities:
1621 type: array
1622 description: Cities to be used on the Certificate.
1623 items:
1624 type: string
1625 organizationalUnits:
1626 type: array
1627 description: Organizational Units to be used on the Certificate.
1628 items:
1629 type: string
1630 organizations:
1631 type: array
1632 description: Organizations to be used on the Certificate.
1633 items:
1634 type: string
1635 postalCodes:
1636 type: array
1637 description: Postal codes to be used on the Certificate.
1638 items:
1639 type: string
1640 provinces:
1641 type: array
1642 description: State/Provinces to be used on the Certificate.
1643 items:
1644 type: string
1645 serialNumber:
1646 type: string
1647 description: Serial number to be used on the Certificate.
1648 streetAddresses:
1649 type: array
1650 description: Street addresses to be used on the Certificate.
1651 items:
1652 type: string
1653 uriSANs:
1654 type: array
1655 description: URISANs is a list of URI subjectAltNames to be set on the Certificate.
1656 items:
1657 type: string
1658 usages:
1659 type: array
1660 description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
1661 items:
1662 type: string
1663 description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
1664 enum:
1665 - signing
1666 - digital signature
1667 - content commitment
1668 - key encipherment
1669 - key agreement
1670 - data encipherment
1671 - cert sign
1672 - crl sign
1673 - encipher only
1674 - decipher only
1675 - any
1676 - server auth
1677 - client auth
1678 - code signing
1679 - email protection
1680 - s/mime
1681 - ipsec end system
1682 - ipsec tunnel
1683 - ipsec user
1684 - timestamping
1685 - ocsp signing
1686 - microsoft sgc
1687 - netscape sgc
1688 required:
1689 - issuerRef
1690 - secretName
1691 status:
1692 type: object
1693 description: Status of the Certificate. This is set and managed automatically.
1694 properties:
1695 revision:
1696 type: integer
1697 description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field."
1698 conditions:
1699 type: array
1700 description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`.
1701 items:
1702 type: object
1703 description: CertificateCondition contains condition information for an Certificate.
1704 properties:
1705 type:
1706 type: string
1707 description: Type of the condition, known values are (`Ready`, `Issuing`).
1708 status:
1709 type: string
1710 description: Status of the condition, one of (`True`, `False`, `Unknown`).
1711 enum:
1712 - "True"
1713 - "False"
1714 - Unknown
1715 lastTransitionTime:
1716 type: string
1717 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
1718 format: date-time
1719 message:
1720 type: string
1721 description: Message is a human readable description of the details of the last transition, complementing reason.
1722 observedGeneration:
1723 type: integer
1724 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate.
1725 format: int64
1726 reason:
1727 type: string
1728 description: Reason is a brief machine readable explanation for the condition's last transition.
1729 required:
1730 - status
1731 - type
1732 lastFailureTime:
1733 type: string
1734 description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time.
1735 format: date-time
1736 nextPrivateKeySecretName:
1737 type: string
1738 description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False.
1739 notAfter:
1740 type: string
1741 description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`.
1742 format: date-time
1743 notBefore:
1744 type: string
1745 description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid.
1746 format: date-time
1747 renewalTime:
1748 type: string
1749 description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled.
1750 format: date-time
1751 served: true
1752 storage: false
1753 subresources:
1754 status: {}
1755 - name: v1beta1
1756 additionalPrinterColumns:
1757 - name: Ready
1758 type: string
1759 jsonPath: .status.conditions[?(@.type=="Ready")].status
1760 - name: Secret
1761 type: string
1762 jsonPath: .spec.secretName
1763 - name: Issuer
1764 type: string
1765 priority: 1
1766 jsonPath: .spec.issuerRef.name
1767 - name: Status
1768 type: string
1769 priority: 1
1770 jsonPath: .status.conditions[?(@.type=="Ready")].message
1771 - name: Age
1772 type: date
1773 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
1774 jsonPath: .metadata.creationTimestamp
1775 schema:
1776 openAPIV3Schema:
1777 type: object
1778 description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)."
1779 properties:
1780 apiVersion:
1781 type: string
1782 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1783 kind:
1784 type: string
1785 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1786 metadata:
1787 type: object
1788 spec:
1789 type: object
1790 description: Desired state of the Certificate resource.
1791 properties:
1792 revisionHistoryLimit:
1793 type: integer
1794 description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`.
1795 format: int32
1796 commonName:
1797 type: string
1798 description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
1799 dnsNames:
1800 type: array
1801 description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate.
1802 items:
1803 type: string
1804 duration:
1805 type: string
1806 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
1807 emailSANs:
1808 type: array
1809 description: EmailSANs is a list of email subjectAltNames to be set on the Certificate.
1810 items:
1811 type: string
1812 encodeUsagesInRequest:
1813 type: boolean
1814 description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest
1815 ipAddresses:
1816 type: array
1817 description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
1818 items:
1819 type: string
1820 isCA:
1821 type: boolean
1822 description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`.
1823 issuerRef:
1824 type: object
1825 description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times.
1826 properties:
1827 name:
1828 type: string
1829 description: Name of the resource being referred to.
1830 kind:
1831 type: string
1832 description: Kind of the resource being referred to.
1833 group:
1834 type: string
1835 description: Group of the resource being referred to.
1836 required:
1837 - name
1838 keystores:
1839 type: object
1840 description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource.
1841 properties:
1842 jks:
1843 type: object
1844 description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource.
1845 properties:
1846 create:
1847 type: boolean
1848 description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance.
1849 passwordSecretRef:
1850 type: object
1851 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore.
1852 properties:
1853 name:
1854 type: string
1855 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1856 key:
1857 type: string
1858 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1859 required:
1860 - name
1861 required:
1862 - create
1863 - passwordSecretRef
1864 pkcs12:
1865 type: object
1866 description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource.
1867 properties:
1868 create:
1869 type: boolean
1870 description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance.
1871 passwordSecretRef:
1872 type: object
1873 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore.
1874 properties:
1875 name:
1876 type: string
1877 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1878 key:
1879 type: string
1880 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1881 required:
1882 - name
1883 required:
1884 - create
1885 - passwordSecretRef
1886 privateKey:
1887 type: object
1888 description: Options to control private keys used for the Certificate.
1889 properties:
1890 algorithm:
1891 type: string
1892 description: Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `RSA` or `ECDSA` If `algorithm` is specified and `size` is not provided, key size of 256 will be used for `ECDSA` key algorithm and key size of 2048 will be used for `RSA` key algorithm.
1893 enum:
1894 - RSA
1895 - ECDSA
1896 encoding:
1897 type: string
1898 description: The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified.
1899 enum:
1900 - PKCS1
1901 - PKCS8
1902 rotationPolicy:
1903 type: string
1904 description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility.
1905 size:
1906 type: integer
1907 description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. No other values are allowed.
1908 renewBefore:
1909 type: string
1910 description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
1911 secretName:
1912 type: string
1913 description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer.
1914 secretTemplate:
1915 type: object
1916 description: SecretTemplate defines annotations and labels to be propagated to the Kubernetes Secret when it is created or updated. Once created, labels and annotations are not yet removed from the Secret when they are removed from the template. See https://github.com/jetstack/cert-manager/issues/4292
1917 properties:
1918 labels:
1919 type: object
1920 additionalProperties:
1921 type: string
1922 description: Labels is a key value map to be copied to the target Kubernetes Secret.
1923 annotations:
1924 type: object
1925 additionalProperties:
1926 type: string
1927 description: Annotations is a key value map to be copied to the target Kubernetes Secret.
1928 subject:
1929 type: object
1930 description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
1931 properties:
1932 countries:
1933 type: array
1934 description: Countries to be used on the Certificate.
1935 items:
1936 type: string
1937 localities:
1938 type: array
1939 description: Cities to be used on the Certificate.
1940 items:
1941 type: string
1942 organizationalUnits:
1943 type: array
1944 description: Organizational Units to be used on the Certificate.
1945 items:
1946 type: string
1947 organizations:
1948 type: array
1949 description: Organizations to be used on the Certificate.
1950 items:
1951 type: string
1952 postalCodes:
1953 type: array
1954 description: Postal codes to be used on the Certificate.
1955 items:
1956 type: string
1957 provinces:
1958 type: array
1959 description: State/Provinces to be used on the Certificate.
1960 items:
1961 type: string
1962 serialNumber:
1963 type: string
1964 description: Serial number to be used on the Certificate.
1965 streetAddresses:
1966 type: array
1967 description: Street addresses to be used on the Certificate.
1968 items:
1969 type: string
1970 uriSANs:
1971 type: array
1972 description: URISANs is a list of URI subjectAltNames to be set on the Certificate.
1973 items:
1974 type: string
1975 usages:
1976 type: array
1977 description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
1978 items:
1979 type: string
1980 description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
1981 enum:
1982 - signing
1983 - digital signature
1984 - content commitment
1985 - key encipherment
1986 - key agreement
1987 - data encipherment
1988 - cert sign
1989 - crl sign
1990 - encipher only
1991 - decipher only
1992 - any
1993 - server auth
1994 - client auth
1995 - code signing
1996 - email protection
1997 - s/mime
1998 - ipsec end system
1999 - ipsec tunnel
2000 - ipsec user
2001 - timestamping
2002 - ocsp signing
2003 - microsoft sgc
2004 - netscape sgc
2005 required:
2006 - issuerRef
2007 - secretName
2008 status:
2009 type: object
2010 description: Status of the Certificate. This is set and managed automatically.
2011 properties:
2012 revision:
2013 type: integer
2014 description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field."
2015 conditions:
2016 type: array
2017 description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`.
2018 items:
2019 type: object
2020 description: CertificateCondition contains condition information for an Certificate.
2021 properties:
2022 type:
2023 type: string
2024 description: Type of the condition, known values are (`Ready`, `Issuing`).
2025 status:
2026 type: string
2027 description: Status of the condition, one of (`True`, `False`, `Unknown`).
2028 enum:
2029 - "True"
2030 - "False"
2031 - Unknown
2032 lastTransitionTime:
2033 type: string
2034 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
2035 format: date-time
2036 message:
2037 type: string
2038 description: Message is a human readable description of the details of the last transition, complementing reason.
2039 observedGeneration:
2040 type: integer
2041 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate.
2042 format: int64
2043 reason:
2044 type: string
2045 description: Reason is a brief machine readable explanation for the condition's last transition.
2046 required:
2047 - status
2048 - type
2049 lastFailureTime:
2050 type: string
2051 description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time.
2052 format: date-time
2053 nextPrivateKeySecretName:
2054 type: string
2055 description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False.
2056 notAfter:
2057 type: string
2058 description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`.
2059 format: date-time
2060 notBefore:
2061 type: string
2062 description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid.
2063 format: date-time
2064 renewalTime:
2065 type: string
2066 description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled.
2067 format: date-time
2068 required:
2069 - spec
2070 served: true
2071 storage: false
2072 subresources:
2073 status: {}
2074---
2075# Source: cert-manager/templates/templates.out
2076apiVersion: apiextensions.k8s.io/v1
2077kind: CustomResourceDefinition
2078metadata:
2079 name: challenges.acme.cert-manager.io
2080 labels:
2081 app: 'cert-manager'
2082 app.kubernetes.io/instance: 'cert-manager'
2083 app.kubernetes.io/name: 'cert-manager'
2084 # Generated labels
2085 app.kubernetes.io/version: "v1.5.4"
2086 annotations:
2087 cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
2088 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
2089 pallet.edge.ncr.com/name: cert-manager
2090 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
2091 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
2092 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
2093 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
2094spec:
2095 conversion:
2096 # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
2097 strategy: Webhook
2098 # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
2099 webhook:
2100 clientConfig:
2101 #
2102 service:
2103 name: 'cert-manager-webhook'
2104 namespace: "cert-manager"
2105 path: /convert
2106 #
2107 # We don't actually support `v1beta1` but is listed here as it is a
2108 # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The
2109 # API server reads the supported versions in order, so _should always_
2110 # attempt a `v1` request which is understood by the cert-manager webhook.
2111 # Any `v1beta1` request will return an error and fail closed for that
2112 # resource (the whole object request is rejected).
2113 # When we no longer support v1.16 we can remove `v1beta1` from this list.
2114 conversionReviewVersions: ["v1", "v1beta1"]
2115 group: acme.cert-manager.io
2116 names:
2117 kind: Challenge
2118 categories:
2119 - cert-manager
2120 - cert-manager-acme
2121 listKind: ChallengeList
2122 plural: challenges
2123 singular: challenge
2124 scope: Namespaced
2125 versions:
2126 - name: v1
2127 additionalPrinterColumns:
2128 - name: State
2129 type: string
2130 jsonPath: .status.state
2131 - name: Domain
2132 type: string
2133 jsonPath: .spec.dnsName
2134 - name: Reason
2135 type: string
2136 priority: 1
2137 jsonPath: .status.reason
2138 - name: Age
2139 type: date
2140 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
2141 jsonPath: .metadata.creationTimestamp
2142 schema:
2143 openAPIV3Schema:
2144 type: object
2145 description: Challenge is a type to represent a Challenge request with an ACME server
2146 properties:
2147 apiVersion:
2148 type: string
2149 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2150 kind:
2151 type: string
2152 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2153 metadata:
2154 type: object
2155 spec:
2156 type: object
2157 properties:
2158 type:
2159 type: string
2160 description: The type of ACME challenge this resource represents. One of "HTTP-01" or "DNS-01".
2161 enum:
2162 - HTTP-01
2163 - DNS-01
2164 authorizationURL:
2165 type: string
2166 description: The URL to the ACME Authorization resource that this challenge is a part of.
2167 dnsName:
2168 type: string
2169 description: dnsName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
2170 issuerRef:
2171 type: object
2172 description: References a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed.
2173 properties:
2174 name:
2175 type: string
2176 description: Name of the resource being referred to.
2177 kind:
2178 type: string
2179 description: Kind of the resource being referred to.
2180 group:
2181 type: string
2182 description: Group of the resource being referred to.
2183 required:
2184 - name
2185 key:
2186 type: string
2187 description: 'The ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key from acme server for challenge>`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key from acme server for challenge>` text that must be set as the TXT record content.'
2188 solver:
2189 type: object
2190 description: Contains the domain solving configuration that should be used to solve this challenge resource.
2191 properties:
2192 selector:
2193 type: object
2194 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
2195 properties:
2196 dnsNames:
2197 type: array
2198 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
2199 items:
2200 type: string
2201 dnsZones:
2202 type: array
2203 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
2204 items:
2205 type: string
2206 matchLabels:
2207 type: object
2208 additionalProperties:
2209 type: string
2210 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
2211 dns01:
2212 type: object
2213 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
2214 properties:
2215 acmeDNS:
2216 type: object
2217 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
2218 properties:
2219 accountSecretRef:
2220 type: object
2221 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
2222 properties:
2223 name:
2224 type: string
2225 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2226 key:
2227 type: string
2228 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2229 required:
2230 - name
2231 host:
2232 type: string
2233 required:
2234 - accountSecretRef
2235 - host
2236 akamai:
2237 type: object
2238 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
2239 properties:
2240 accessTokenSecretRef:
2241 type: object
2242 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
2243 properties:
2244 name:
2245 type: string
2246 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2247 key:
2248 type: string
2249 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2250 required:
2251 - name
2252 clientSecretSecretRef:
2253 type: object
2254 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
2255 properties:
2256 name:
2257 type: string
2258 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2259 key:
2260 type: string
2261 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2262 required:
2263 - name
2264 clientTokenSecretRef:
2265 type: object
2266 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
2267 properties:
2268 name:
2269 type: string
2270 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2271 key:
2272 type: string
2273 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2274 required:
2275 - name
2276 serviceConsumerDomain:
2277 type: string
2278 required:
2279 - accessTokenSecretRef
2280 - clientSecretSecretRef
2281 - clientTokenSecretRef
2282 - serviceConsumerDomain
2283 azureDNS:
2284 type: object
2285 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
2286 properties:
2287 clientID:
2288 type: string
2289 description: if both this and ClientSecret are left unset MSI will be used
2290 clientSecretSecretRef:
2291 type: object
2292 description: if both this and ClientID are left unset MSI will be used
2293 properties:
2294 name:
2295 type: string
2296 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2297 key:
2298 type: string
2299 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2300 required:
2301 - name
2302 environment:
2303 type: string
2304 enum:
2305 - AzurePublicCloud
2306 - AzureChinaCloud
2307 - AzureGermanCloud
2308 - AzureUSGovernmentCloud
2309 hostedZoneName:
2310 type: string
2311 resourceGroupName:
2312 type: string
2313 subscriptionID:
2314 type: string
2315 tenantID:
2316 type: string
2317 description: when specifying ClientID and ClientSecret then this field is also needed
2318 required:
2319 - resourceGroupName
2320 - subscriptionID
2321 cloudDNS:
2322 type: object
2323 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
2324 properties:
2325 hostedZoneName:
2326 type: string
2327 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
2328 project:
2329 type: string
2330 serviceAccountSecretRef:
2331 type: object
2332 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
2333 properties:
2334 name:
2335 type: string
2336 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2337 key:
2338 type: string
2339 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2340 required:
2341 - name
2342 required:
2343 - project
2344 cloudflare:
2345 type: object
2346 description: Use the Cloudflare API to manage DNS01 challenge records.
2347 properties:
2348 apiKeySecretRef:
2349 type: object
2350 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
2351 properties:
2352 name:
2353 type: string
2354 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2355 key:
2356 type: string
2357 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2358 required:
2359 - name
2360 apiTokenSecretRef:
2361 type: object
2362 description: API token used to authenticate with Cloudflare.
2363 properties:
2364 name:
2365 type: string
2366 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2367 key:
2368 type: string
2369 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2370 required:
2371 - name
2372 email:
2373 type: string
2374 description: Email of the account, only required when using API key based authentication.
2375 cnameStrategy:
2376 type: string
2377 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
2378 enum:
2379 - None
2380 - Follow
2381 digitalocean:
2382 type: object
2383 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
2384 properties:
2385 tokenSecretRef:
2386 type: object
2387 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
2388 properties:
2389 name:
2390 type: string
2391 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2392 key:
2393 type: string
2394 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2395 required:
2396 - name
2397 required:
2398 - tokenSecretRef
2399 rfc2136:
2400 type: object
2401 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
2402 properties:
2403 nameserver:
2404 type: string
2405 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
2406 tsigAlgorithm:
2407 type: string
2408 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
2409 tsigKeyName:
2410 type: string
2411 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
2412 tsigSecretSecretRef:
2413 type: object
2414 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
2415 properties:
2416 name:
2417 type: string
2418 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2419 key:
2420 type: string
2421 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2422 required:
2423 - name
2424 required:
2425 - nameserver
2426 route53:
2427 type: object
2428 description: Use the AWS Route53 API to manage DNS01 challenge records.
2429 properties:
2430 accessKeyID:
2431 type: string
2432 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
2433 hostedZoneID:
2434 type: string
2435 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
2436 region:
2437 type: string
2438 description: Always set the region when using AccessKeyID and SecretAccessKey
2439 role:
2440 type: string
2441 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
2442 secretAccessKeySecretRef:
2443 type: object
2444 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
2445 properties:
2446 name:
2447 type: string
2448 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2449 key:
2450 type: string
2451 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2452 required:
2453 - name
2454 required:
2455 - region
2456 webhook:
2457 type: object
2458 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
2459 properties:
2460 config:
2461 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
2462 x-kubernetes-preserve-unknown-fields: true
2463 groupName:
2464 type: string
2465 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
2466 solverName:
2467 type: string
2468 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
2469 required:
2470 - groupName
2471 - solverName
2472 http01:
2473 type: object
2474 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
2475 properties:
2476 gatewayHTTPRoute:
2477 type: object
2478 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
2479 properties:
2480 labels:
2481 type: object
2482 additionalProperties:
2483 type: string
2484 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
2485 serviceType:
2486 type: string
2487 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
2488 ingress:
2489 type: object
2490 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
2491 properties:
2492 name:
2493 type: string
2494 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
2495 class:
2496 type: string
2497 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
2498 ingressTemplate:
2499 type: object
2500 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
2501 properties:
2502 metadata:
2503 type: object
2504 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
2505 properties:
2506 labels:
2507 type: object
2508 additionalProperties:
2509 type: string
2510 description: Labels that should be added to the created ACME HTTP01 solver ingress.
2511 annotations:
2512 type: object
2513 additionalProperties:
2514 type: string
2515 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
2516 podTemplate:
2517 type: object
2518 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
2519 properties:
2520 metadata:
2521 type: object
2522 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
2523 properties:
2524 labels:
2525 type: object
2526 additionalProperties:
2527 type: string
2528 description: Labels that should be added to the created ACME HTTP01 solver pods.
2529 annotations:
2530 type: object
2531 additionalProperties:
2532 type: string
2533 description: Annotations that should be added to the create ACME HTTP01 solver pods.
2534 spec:
2535 type: object
2536 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
2537 properties:
2538 serviceAccountName:
2539 type: string
2540 description: If specified, the pod's service account
2541 priorityClassName:
2542 type: string
2543 description: If specified, the pod's priorityClassName.
2544 nodeSelector:
2545 type: object
2546 additionalProperties:
2547 type: string
2548 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
2549 affinity:
2550 type: object
2551 description: If specified, the pod's scheduling constraints
2552 properties:
2553 nodeAffinity:
2554 type: object
2555 description: Describes node affinity scheduling rules for the pod.
2556 properties:
2557 preferredDuringSchedulingIgnoredDuringExecution:
2558 type: array
2559 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
2560 items:
2561 type: object
2562 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
2563 properties:
2564 preference:
2565 type: object
2566 description: A node selector term, associated with the corresponding weight.
2567 properties:
2568 matchExpressions:
2569 type: array
2570 description: A list of node selector requirements by node's labels.
2571 items:
2572 type: object
2573 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2574 properties:
2575 key:
2576 type: string
2577 description: The label key that the selector applies to.
2578 operator:
2579 type: string
2580 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2581 values:
2582 type: array
2583 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
2584 items:
2585 type: string
2586 required:
2587 - key
2588 - operator
2589 matchFields:
2590 type: array
2591 description: A list of node selector requirements by node's fields.
2592 items:
2593 type: object
2594 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2595 properties:
2596 key:
2597 type: string
2598 description: The label key that the selector applies to.
2599 operator:
2600 type: string
2601 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2602 values:
2603 type: array
2604 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
2605 items:
2606 type: string
2607 required:
2608 - key
2609 - operator
2610 weight:
2611 type: integer
2612 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
2613 format: int32
2614 required:
2615 - preference
2616 - weight
2617 requiredDuringSchedulingIgnoredDuringExecution:
2618 type: object
2619 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
2620 properties:
2621 nodeSelectorTerms:
2622 type: array
2623 description: Required. A list of node selector terms. The terms are ORed.
2624 items:
2625 type: object
2626 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
2627 properties:
2628 matchExpressions:
2629 type: array
2630 description: A list of node selector requirements by node's labels.
2631 items:
2632 type: object
2633 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2634 properties:
2635 key:
2636 type: string
2637 description: The label key that the selector applies to.
2638 operator:
2639 type: string
2640 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2641 values:
2642 type: array
2643 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
2644 items:
2645 type: string
2646 required:
2647 - key
2648 - operator
2649 matchFields:
2650 type: array
2651 description: A list of node selector requirements by node's fields.
2652 items:
2653 type: object
2654 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2655 properties:
2656 key:
2657 type: string
2658 description: The label key that the selector applies to.
2659 operator:
2660 type: string
2661 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2662 values:
2663 type: array
2664 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
2665 items:
2666 type: string
2667 required:
2668 - key
2669 - operator
2670 required:
2671 - nodeSelectorTerms
2672 podAffinity:
2673 type: object
2674 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
2675 properties:
2676 preferredDuringSchedulingIgnoredDuringExecution:
2677 type: array
2678 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
2679 items:
2680 type: object
2681 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
2682 properties:
2683 podAffinityTerm:
2684 type: object
2685 description: Required. A pod affinity term, associated with the corresponding weight.
2686 properties:
2687 labelSelector:
2688 type: object
2689 description: A label query over a set of resources, in this case pods.
2690 properties:
2691 matchExpressions:
2692 type: array
2693 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2694 items:
2695 type: object
2696 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2697 properties:
2698 key:
2699 type: string
2700 description: key is the label key that the selector applies to.
2701 operator:
2702 type: string
2703 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2704 values:
2705 type: array
2706 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2707 items:
2708 type: string
2709 required:
2710 - key
2711 - operator
2712 matchLabels:
2713 type: object
2714 additionalProperties:
2715 type: string
2716 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2717 namespaceSelector:
2718 type: object
2719 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
2720 properties:
2721 matchExpressions:
2722 type: array
2723 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2724 items:
2725 type: object
2726 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2727 properties:
2728 key:
2729 type: string
2730 description: key is the label key that the selector applies to.
2731 operator:
2732 type: string
2733 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2734 values:
2735 type: array
2736 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2737 items:
2738 type: string
2739 required:
2740 - key
2741 - operator
2742 matchLabels:
2743 type: object
2744 additionalProperties:
2745 type: string
2746 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2747 namespaces:
2748 type: array
2749 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
2750 items:
2751 type: string
2752 topologyKey:
2753 type: string
2754 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
2755 required:
2756 - topologyKey
2757 weight:
2758 type: integer
2759 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
2760 format: int32
2761 required:
2762 - podAffinityTerm
2763 - weight
2764 requiredDuringSchedulingIgnoredDuringExecution:
2765 type: array
2766 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
2767 items:
2768 type: object
2769 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
2770 properties:
2771 labelSelector:
2772 type: object
2773 description: A label query over a set of resources, in this case pods.
2774 properties:
2775 matchExpressions:
2776 type: array
2777 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2778 items:
2779 type: object
2780 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2781 properties:
2782 key:
2783 type: string
2784 description: key is the label key that the selector applies to.
2785 operator:
2786 type: string
2787 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2788 values:
2789 type: array
2790 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2791 items:
2792 type: string
2793 required:
2794 - key
2795 - operator
2796 matchLabels:
2797 type: object
2798 additionalProperties:
2799 type: string
2800 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2801 namespaceSelector:
2802 type: object
2803 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
2804 properties:
2805 matchExpressions:
2806 type: array
2807 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2808 items:
2809 type: object
2810 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2811 properties:
2812 key:
2813 type: string
2814 description: key is the label key that the selector applies to.
2815 operator:
2816 type: string
2817 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2818 values:
2819 type: array
2820 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2821 items:
2822 type: string
2823 required:
2824 - key
2825 - operator
2826 matchLabels:
2827 type: object
2828 additionalProperties:
2829 type: string
2830 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2831 namespaces:
2832 type: array
2833 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
2834 items:
2835 type: string
2836 topologyKey:
2837 type: string
2838 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
2839 required:
2840 - topologyKey
2841 podAntiAffinity:
2842 type: object
2843 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
2844 properties:
2845 preferredDuringSchedulingIgnoredDuringExecution:
2846 type: array
2847 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
2848 items:
2849 type: object
2850 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
2851 properties:
2852 podAffinityTerm:
2853 type: object
2854 description: Required. A pod affinity term, associated with the corresponding weight.
2855 properties:
2856 labelSelector:
2857 type: object
2858 description: A label query over a set of resources, in this case pods.
2859 properties:
2860 matchExpressions:
2861 type: array
2862 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2863 items:
2864 type: object
2865 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2866 properties:
2867 key:
2868 type: string
2869 description: key is the label key that the selector applies to.
2870 operator:
2871 type: string
2872 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2873 values:
2874 type: array
2875 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2876 items:
2877 type: string
2878 required:
2879 - key
2880 - operator
2881 matchLabels:
2882 type: object
2883 additionalProperties:
2884 type: string
2885 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2886 namespaceSelector:
2887 type: object
2888 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
2889 properties:
2890 matchExpressions:
2891 type: array
2892 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2893 items:
2894 type: object
2895 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2896 properties:
2897 key:
2898 type: string
2899 description: key is the label key that the selector applies to.
2900 operator:
2901 type: string
2902 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2903 values:
2904 type: array
2905 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2906 items:
2907 type: string
2908 required:
2909 - key
2910 - operator
2911 matchLabels:
2912 type: object
2913 additionalProperties:
2914 type: string
2915 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2916 namespaces:
2917 type: array
2918 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
2919 items:
2920 type: string
2921 topologyKey:
2922 type: string
2923 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
2924 required:
2925 - topologyKey
2926 weight:
2927 type: integer
2928 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
2929 format: int32
2930 required:
2931 - podAffinityTerm
2932 - weight
2933 requiredDuringSchedulingIgnoredDuringExecution:
2934 type: array
2935 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
2936 items:
2937 type: object
2938 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
2939 properties:
2940 labelSelector:
2941 type: object
2942 description: A label query over a set of resources, in this case pods.
2943 properties:
2944 matchExpressions:
2945 type: array
2946 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2947 items:
2948 type: object
2949 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2950 properties:
2951 key:
2952 type: string
2953 description: key is the label key that the selector applies to.
2954 operator:
2955 type: string
2956 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2957 values:
2958 type: array
2959 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2960 items:
2961 type: string
2962 required:
2963 - key
2964 - operator
2965 matchLabels:
2966 type: object
2967 additionalProperties:
2968 type: string
2969 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2970 namespaceSelector:
2971 type: object
2972 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
2973 properties:
2974 matchExpressions:
2975 type: array
2976 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2977 items:
2978 type: object
2979 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2980 properties:
2981 key:
2982 type: string
2983 description: key is the label key that the selector applies to.
2984 operator:
2985 type: string
2986 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2987 values:
2988 type: array
2989 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2990 items:
2991 type: string
2992 required:
2993 - key
2994 - operator
2995 matchLabels:
2996 type: object
2997 additionalProperties:
2998 type: string
2999 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3000 namespaces:
3001 type: array
3002 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
3003 items:
3004 type: string
3005 topologyKey:
3006 type: string
3007 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
3008 required:
3009 - topologyKey
3010 tolerations:
3011 type: array
3012 description: If specified, the pod's tolerations.
3013 items:
3014 type: object
3015 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
3016 properties:
3017 value:
3018 type: string
3019 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
3020 effect:
3021 type: string
3022 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
3023 key:
3024 type: string
3025 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
3026 operator:
3027 type: string
3028 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
3029 tolerationSeconds:
3030 type: integer
3031 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
3032 format: int64
3033 serviceType:
3034 type: string
3035 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
3036 token:
3037 type: string
3038 description: The ACME challenge token for this challenge. This is the raw value returned from the ACME server.
3039 url:
3040 type: string
3041 description: The URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge.
3042 wildcard:
3043 type: boolean
3044 description: wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'.
3045 required:
3046 - authorizationURL
3047 - dnsName
3048 - issuerRef
3049 - key
3050 - solver
3051 - token
3052 - type
3053 - url
3054 status:
3055 type: object
3056 properties:
3057 presented:
3058 type: boolean
3059 description: presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured).
3060 processing:
3061 type: boolean
3062 description: Used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action.
3063 reason:
3064 type: string
3065 description: Contains human readable information on why the Challenge is in the current state.
3066 state:
3067 type: string
3068 description: Contains the current 'state' of the challenge. If not set, the state of the challenge is unknown.
3069 enum:
3070 - valid
3071 - ready
3072 - pending
3073 - processing
3074 - invalid
3075 - expired
3076 - errored
3077 required:
3078 - metadata
3079 - spec
3080 served: true
3081 storage: true
3082 subresources:
3083 status: {}
3084 - name: v1alpha2
3085 additionalPrinterColumns:
3086 - name: State
3087 type: string
3088 jsonPath: .status.state
3089 - name: Domain
3090 type: string
3091 jsonPath: .spec.dnsName
3092 - name: Reason
3093 type: string
3094 priority: 1
3095 jsonPath: .status.reason
3096 - name: Age
3097 type: date
3098 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
3099 jsonPath: .metadata.creationTimestamp
3100 schema:
3101 openAPIV3Schema:
3102 type: object
3103 description: Challenge is a type to represent a Challenge request with an ACME server
3104 properties:
3105 apiVersion:
3106 type: string
3107 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
3108 kind:
3109 type: string
3110 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
3111 metadata:
3112 type: object
3113 spec:
3114 type: object
3115 properties:
3116 type:
3117 type: string
3118 description: Type is the type of ACME challenge this resource represents. One of "http-01" or "dns-01".
3119 enum:
3120 - http-01
3121 - dns-01
3122 authzURL:
3123 type: string
3124 description: AuthzURL is the URL to the ACME Authorization resource that this challenge is a part of.
3125 dnsName:
3126 type: string
3127 description: DNSName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
3128 issuerRef:
3129 type: object
3130 description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed.
3131 properties:
3132 name:
3133 type: string
3134 description: Name of the resource being referred to.
3135 kind:
3136 type: string
3137 description: Kind of the resource being referred to.
3138 group:
3139 type: string
3140 description: Group of the resource being referred to.
3141 required:
3142 - name
3143 key:
3144 type: string
3145 description: 'Key is the ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key from acme server for challenge>`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key from acme server for challenge>` text that must be set as the TXT record content.'
3146 solver:
3147 type: object
3148 description: Solver contains the domain solving configuration that should be used to solve this challenge resource.
3149 properties:
3150 selector:
3151 type: object
3152 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
3153 properties:
3154 dnsNames:
3155 type: array
3156 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
3157 items:
3158 type: string
3159 dnsZones:
3160 type: array
3161 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
3162 items:
3163 type: string
3164 matchLabels:
3165 type: object
3166 additionalProperties:
3167 type: string
3168 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
3169 dns01:
3170 type: object
3171 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
3172 properties:
3173 acmedns:
3174 type: object
3175 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
3176 properties:
3177 accountSecretRef:
3178 type: object
3179 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3180 properties:
3181 name:
3182 type: string
3183 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3184 key:
3185 type: string
3186 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3187 required:
3188 - name
3189 host:
3190 type: string
3191 required:
3192 - accountSecretRef
3193 - host
3194 akamai:
3195 type: object
3196 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
3197 properties:
3198 accessTokenSecretRef:
3199 type: object
3200 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3201 properties:
3202 name:
3203 type: string
3204 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3205 key:
3206 type: string
3207 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3208 required:
3209 - name
3210 clientSecretSecretRef:
3211 type: object
3212 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3213 properties:
3214 name:
3215 type: string
3216 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3217 key:
3218 type: string
3219 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3220 required:
3221 - name
3222 clientTokenSecretRef:
3223 type: object
3224 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3225 properties:
3226 name:
3227 type: string
3228 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3229 key:
3230 type: string
3231 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3232 required:
3233 - name
3234 serviceConsumerDomain:
3235 type: string
3236 required:
3237 - accessTokenSecretRef
3238 - clientSecretSecretRef
3239 - clientTokenSecretRef
3240 - serviceConsumerDomain
3241 azuredns:
3242 type: object
3243 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
3244 properties:
3245 clientID:
3246 type: string
3247 description: if both this and ClientSecret are left unset MSI will be used
3248 clientSecretSecretRef:
3249 type: object
3250 description: if both this and ClientID are left unset MSI will be used
3251 properties:
3252 name:
3253 type: string
3254 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3255 key:
3256 type: string
3257 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3258 required:
3259 - name
3260 environment:
3261 type: string
3262 enum:
3263 - AzurePublicCloud
3264 - AzureChinaCloud
3265 - AzureGermanCloud
3266 - AzureUSGovernmentCloud
3267 hostedZoneName:
3268 type: string
3269 resourceGroupName:
3270 type: string
3271 subscriptionID:
3272 type: string
3273 tenantID:
3274 type: string
3275 description: when specifying ClientID and ClientSecret then this field is also needed
3276 required:
3277 - resourceGroupName
3278 - subscriptionID
3279 clouddns:
3280 type: object
3281 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
3282 properties:
3283 hostedZoneName:
3284 type: string
3285 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
3286 project:
3287 type: string
3288 serviceAccountSecretRef:
3289 type: object
3290 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3291 properties:
3292 name:
3293 type: string
3294 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3295 key:
3296 type: string
3297 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3298 required:
3299 - name
3300 required:
3301 - project
3302 cloudflare:
3303 type: object
3304 description: Use the Cloudflare API to manage DNS01 challenge records.
3305 properties:
3306 apiKeySecretRef:
3307 type: object
3308 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
3309 properties:
3310 name:
3311 type: string
3312 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3313 key:
3314 type: string
3315 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3316 required:
3317 - name
3318 apiTokenSecretRef:
3319 type: object
3320 description: API token used to authenticate with Cloudflare.
3321 properties:
3322 name:
3323 type: string
3324 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3325 key:
3326 type: string
3327 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3328 required:
3329 - name
3330 email:
3331 type: string
3332 description: Email of the account, only required when using API key based authentication.
3333 cnameStrategy:
3334 type: string
3335 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
3336 enum:
3337 - None
3338 - Follow
3339 digitalocean:
3340 type: object
3341 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
3342 properties:
3343 tokenSecretRef:
3344 type: object
3345 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3346 properties:
3347 name:
3348 type: string
3349 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3350 key:
3351 type: string
3352 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3353 required:
3354 - name
3355 required:
3356 - tokenSecretRef
3357 rfc2136:
3358 type: object
3359 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
3360 properties:
3361 nameserver:
3362 type: string
3363 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
3364 tsigAlgorithm:
3365 type: string
3366 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
3367 tsigKeyName:
3368 type: string
3369 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
3370 tsigSecretSecretRef:
3371 type: object
3372 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
3373 properties:
3374 name:
3375 type: string
3376 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3377 key:
3378 type: string
3379 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3380 required:
3381 - name
3382 required:
3383 - nameserver
3384 route53:
3385 type: object
3386 description: Use the AWS Route53 API to manage DNS01 challenge records.
3387 properties:
3388 accessKeyID:
3389 type: string
3390 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
3391 hostedZoneID:
3392 type: string
3393 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
3394 region:
3395 type: string
3396 description: Always set the region when using AccessKeyID and SecretAccessKey
3397 role:
3398 type: string
3399 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
3400 secretAccessKeySecretRef:
3401 type: object
3402 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
3403 properties:
3404 name:
3405 type: string
3406 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3407 key:
3408 type: string
3409 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3410 required:
3411 - name
3412 required:
3413 - region
3414 webhook:
3415 type: object
3416 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
3417 properties:
3418 config:
3419 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
3420 x-kubernetes-preserve-unknown-fields: true
3421 groupName:
3422 type: string
3423 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
3424 solverName:
3425 type: string
3426 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
3427 required:
3428 - groupName
3429 - solverName
3430 http01:
3431 type: object
3432 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
3433 properties:
3434 gatewayHTTPRoute:
3435 type: object
3436 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
3437 properties:
3438 labels:
3439 type: object
3440 additionalProperties:
3441 type: string
3442 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
3443 serviceType:
3444 type: string
3445 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
3446 ingress:
3447 type: object
3448 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
3449 properties:
3450 name:
3451 type: string
3452 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
3453 class:
3454 type: string
3455 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
3456 ingressTemplate:
3457 type: object
3458 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges
3459 properties:
3460 metadata:
3461 type: object
3462 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
3463 properties:
3464 labels:
3465 type: object
3466 additionalProperties:
3467 type: string
3468 description: Labels that should be added to the created ACME HTTP01 solver ingress.
3469 annotations:
3470 type: object
3471 additionalProperties:
3472 type: string
3473 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
3474 podTemplate:
3475 type: object
3476 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
3477 properties:
3478 metadata:
3479 type: object
3480 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
3481 properties:
3482 labels:
3483 type: object
3484 additionalProperties:
3485 type: string
3486 description: Labels that should be added to the created ACME HTTP01 solver pods.
3487 annotations:
3488 type: object
3489 additionalProperties:
3490 type: string
3491 description: Annotations that should be added to the create ACME HTTP01 solver pods.
3492 spec:
3493 type: object
3494 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
3495 properties:
3496 serviceAccountName:
3497 type: string
3498 description: If specified, the pod's service account
3499 priorityClassName:
3500 type: string
3501 description: If specified, the pod's priorityClassName.
3502 nodeSelector:
3503 type: object
3504 additionalProperties:
3505 type: string
3506 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
3507 affinity:
3508 type: object
3509 description: If specified, the pod's scheduling constraints
3510 properties:
3511 nodeAffinity:
3512 type: object
3513 description: Describes node affinity scheduling rules for the pod.
3514 properties:
3515 preferredDuringSchedulingIgnoredDuringExecution:
3516 type: array
3517 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
3518 items:
3519 type: object
3520 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
3521 properties:
3522 preference:
3523 type: object
3524 description: A node selector term, associated with the corresponding weight.
3525 properties:
3526 matchExpressions:
3527 type: array
3528 description: A list of node selector requirements by node's labels.
3529 items:
3530 type: object
3531 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3532 properties:
3533 key:
3534 type: string
3535 description: The label key that the selector applies to.
3536 operator:
3537 type: string
3538 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
3539 values:
3540 type: array
3541 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
3542 items:
3543 type: string
3544 required:
3545 - key
3546 - operator
3547 matchFields:
3548 type: array
3549 description: A list of node selector requirements by node's fields.
3550 items:
3551 type: object
3552 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3553 properties:
3554 key:
3555 type: string
3556 description: The label key that the selector applies to.
3557 operator:
3558 type: string
3559 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
3560 values:
3561 type: array
3562 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
3563 items:
3564 type: string
3565 required:
3566 - key
3567 - operator
3568 weight:
3569 type: integer
3570 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
3571 format: int32
3572 required:
3573 - preference
3574 - weight
3575 requiredDuringSchedulingIgnoredDuringExecution:
3576 type: object
3577 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
3578 properties:
3579 nodeSelectorTerms:
3580 type: array
3581 description: Required. A list of node selector terms. The terms are ORed.
3582 items:
3583 type: object
3584 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
3585 properties:
3586 matchExpressions:
3587 type: array
3588 description: A list of node selector requirements by node's labels.
3589 items:
3590 type: object
3591 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3592 properties:
3593 key:
3594 type: string
3595 description: The label key that the selector applies to.
3596 operator:
3597 type: string
3598 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
3599 values:
3600 type: array
3601 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
3602 items:
3603 type: string
3604 required:
3605 - key
3606 - operator
3607 matchFields:
3608 type: array
3609 description: A list of node selector requirements by node's fields.
3610 items:
3611 type: object
3612 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3613 properties:
3614 key:
3615 type: string
3616 description: The label key that the selector applies to.
3617 operator:
3618 type: string
3619 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
3620 values:
3621 type: array
3622 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
3623 items:
3624 type: string
3625 required:
3626 - key
3627 - operator
3628 required:
3629 - nodeSelectorTerms
3630 podAffinity:
3631 type: object
3632 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
3633 properties:
3634 preferredDuringSchedulingIgnoredDuringExecution:
3635 type: array
3636 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
3637 items:
3638 type: object
3639 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
3640 properties:
3641 podAffinityTerm:
3642 type: object
3643 description: Required. A pod affinity term, associated with the corresponding weight.
3644 properties:
3645 labelSelector:
3646 type: object
3647 description: A label query over a set of resources, in this case pods.
3648 properties:
3649 matchExpressions:
3650 type: array
3651 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3652 items:
3653 type: object
3654 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3655 properties:
3656 key:
3657 type: string
3658 description: key is the label key that the selector applies to.
3659 operator:
3660 type: string
3661 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3662 values:
3663 type: array
3664 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3665 items:
3666 type: string
3667 required:
3668 - key
3669 - operator
3670 matchLabels:
3671 type: object
3672 additionalProperties:
3673 type: string
3674 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3675 namespaceSelector:
3676 type: object
3677 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
3678 properties:
3679 matchExpressions:
3680 type: array
3681 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3682 items:
3683 type: object
3684 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3685 properties:
3686 key:
3687 type: string
3688 description: key is the label key that the selector applies to.
3689 operator:
3690 type: string
3691 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3692 values:
3693 type: array
3694 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3695 items:
3696 type: string
3697 required:
3698 - key
3699 - operator
3700 matchLabels:
3701 type: object
3702 additionalProperties:
3703 type: string
3704 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3705 namespaces:
3706 type: array
3707 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
3708 items:
3709 type: string
3710 topologyKey:
3711 type: string
3712 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
3713 required:
3714 - topologyKey
3715 weight:
3716 type: integer
3717 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
3718 format: int32
3719 required:
3720 - podAffinityTerm
3721 - weight
3722 requiredDuringSchedulingIgnoredDuringExecution:
3723 type: array
3724 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
3725 items:
3726 type: object
3727 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
3728 properties:
3729 labelSelector:
3730 type: object
3731 description: A label query over a set of resources, in this case pods.
3732 properties:
3733 matchExpressions:
3734 type: array
3735 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3736 items:
3737 type: object
3738 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3739 properties:
3740 key:
3741 type: string
3742 description: key is the label key that the selector applies to.
3743 operator:
3744 type: string
3745 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3746 values:
3747 type: array
3748 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3749 items:
3750 type: string
3751 required:
3752 - key
3753 - operator
3754 matchLabels:
3755 type: object
3756 additionalProperties:
3757 type: string
3758 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3759 namespaceSelector:
3760 type: object
3761 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
3762 properties:
3763 matchExpressions:
3764 type: array
3765 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3766 items:
3767 type: object
3768 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3769 properties:
3770 key:
3771 type: string
3772 description: key is the label key that the selector applies to.
3773 operator:
3774 type: string
3775 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3776 values:
3777 type: array
3778 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3779 items:
3780 type: string
3781 required:
3782 - key
3783 - operator
3784 matchLabels:
3785 type: object
3786 additionalProperties:
3787 type: string
3788 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3789 namespaces:
3790 type: array
3791 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
3792 items:
3793 type: string
3794 topologyKey:
3795 type: string
3796 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
3797 required:
3798 - topologyKey
3799 podAntiAffinity:
3800 type: object
3801 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
3802 properties:
3803 preferredDuringSchedulingIgnoredDuringExecution:
3804 type: array
3805 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
3806 items:
3807 type: object
3808 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
3809 properties:
3810 podAffinityTerm:
3811 type: object
3812 description: Required. A pod affinity term, associated with the corresponding weight.
3813 properties:
3814 labelSelector:
3815 type: object
3816 description: A label query over a set of resources, in this case pods.
3817 properties:
3818 matchExpressions:
3819 type: array
3820 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3821 items:
3822 type: object
3823 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3824 properties:
3825 key:
3826 type: string
3827 description: key is the label key that the selector applies to.
3828 operator:
3829 type: string
3830 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3831 values:
3832 type: array
3833 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3834 items:
3835 type: string
3836 required:
3837 - key
3838 - operator
3839 matchLabels:
3840 type: object
3841 additionalProperties:
3842 type: string
3843 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3844 namespaceSelector:
3845 type: object
3846 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
3847 properties:
3848 matchExpressions:
3849 type: array
3850 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3851 items:
3852 type: object
3853 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3854 properties:
3855 key:
3856 type: string
3857 description: key is the label key that the selector applies to.
3858 operator:
3859 type: string
3860 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3861 values:
3862 type: array
3863 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3864 items:
3865 type: string
3866 required:
3867 - key
3868 - operator
3869 matchLabels:
3870 type: object
3871 additionalProperties:
3872 type: string
3873 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3874 namespaces:
3875 type: array
3876 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
3877 items:
3878 type: string
3879 topologyKey:
3880 type: string
3881 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
3882 required:
3883 - topologyKey
3884 weight:
3885 type: integer
3886 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
3887 format: int32
3888 required:
3889 - podAffinityTerm
3890 - weight
3891 requiredDuringSchedulingIgnoredDuringExecution:
3892 type: array
3893 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
3894 items:
3895 type: object
3896 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
3897 properties:
3898 labelSelector:
3899 type: object
3900 description: A label query over a set of resources, in this case pods.
3901 properties:
3902 matchExpressions:
3903 type: array
3904 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3905 items:
3906 type: object
3907 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3908 properties:
3909 key:
3910 type: string
3911 description: key is the label key that the selector applies to.
3912 operator:
3913 type: string
3914 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3915 values:
3916 type: array
3917 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3918 items:
3919 type: string
3920 required:
3921 - key
3922 - operator
3923 matchLabels:
3924 type: object
3925 additionalProperties:
3926 type: string
3927 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3928 namespaceSelector:
3929 type: object
3930 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
3931 properties:
3932 matchExpressions:
3933 type: array
3934 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3935 items:
3936 type: object
3937 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3938 properties:
3939 key:
3940 type: string
3941 description: key is the label key that the selector applies to.
3942 operator:
3943 type: string
3944 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3945 values:
3946 type: array
3947 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3948 items:
3949 type: string
3950 required:
3951 - key
3952 - operator
3953 matchLabels:
3954 type: object
3955 additionalProperties:
3956 type: string
3957 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3958 namespaces:
3959 type: array
3960 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
3961 items:
3962 type: string
3963 topologyKey:
3964 type: string
3965 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
3966 required:
3967 - topologyKey
3968 tolerations:
3969 type: array
3970 description: If specified, the pod's tolerations.
3971 items:
3972 type: object
3973 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
3974 properties:
3975 value:
3976 type: string
3977 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
3978 effect:
3979 type: string
3980 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
3981 key:
3982 type: string
3983 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
3984 operator:
3985 type: string
3986 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
3987 tolerationSeconds:
3988 type: integer
3989 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
3990 format: int64
3991 serviceType:
3992 type: string
3993 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
3994 token:
3995 type: string
3996 description: Token is the ACME challenge token for this challenge. This is the raw value returned from the ACME server.
3997 url:
3998 type: string
3999 description: URL is the URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge.
4000 wildcard:
4001 type: boolean
4002 description: Wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'.
4003 required:
4004 - authzURL
4005 - dnsName
4006 - issuerRef
4007 - key
4008 - solver
4009 - token
4010 - type
4011 - url
4012 status:
4013 type: object
4014 properties:
4015 presented:
4016 type: boolean
4017 description: Presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured).
4018 processing:
4019 type: boolean
4020 description: Processing is used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action.
4021 reason:
4022 type: string
4023 description: Reason contains human readable information on why the Challenge is in the current state.
4024 state:
4025 type: string
4026 description: State contains the current 'state' of the challenge. If not set, the state of the challenge is unknown.
4027 enum:
4028 - valid
4029 - ready
4030 - pending
4031 - processing
4032 - invalid
4033 - expired
4034 - errored
4035 required:
4036 - metadata
4037 served: true
4038 storage: false
4039 subresources:
4040 status: {}
4041 - name: v1alpha3
4042 additionalPrinterColumns:
4043 - name: State
4044 type: string
4045 jsonPath: .status.state
4046 - name: Domain
4047 type: string
4048 jsonPath: .spec.dnsName
4049 - name: Reason
4050 type: string
4051 priority: 1
4052 jsonPath: .status.reason
4053 - name: Age
4054 type: date
4055 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
4056 jsonPath: .metadata.creationTimestamp
4057 schema:
4058 openAPIV3Schema:
4059 type: object
4060 description: Challenge is a type to represent a Challenge request with an ACME server
4061 properties:
4062 apiVersion:
4063 type: string
4064 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
4065 kind:
4066 type: string
4067 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
4068 metadata:
4069 type: object
4070 spec:
4071 type: object
4072 properties:
4073 type:
4074 type: string
4075 description: Type is the type of ACME challenge this resource represents. One of "http-01" or "dns-01".
4076 enum:
4077 - http-01
4078 - dns-01
4079 authzURL:
4080 type: string
4081 description: AuthzURL is the URL to the ACME Authorization resource that this challenge is a part of.
4082 dnsName:
4083 type: string
4084 description: DNSName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
4085 issuerRef:
4086 type: object
4087 description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed.
4088 properties:
4089 name:
4090 type: string
4091 description: Name of the resource being referred to.
4092 kind:
4093 type: string
4094 description: Kind of the resource being referred to.
4095 group:
4096 type: string
4097 description: Group of the resource being referred to.
4098 required:
4099 - name
4100 key:
4101 type: string
4102 description: 'Key is the ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key from acme server for challenge>`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key from acme server for challenge>` text that must be set as the TXT record content.'
4103 solver:
4104 type: object
4105 description: Solver contains the domain solving configuration that should be used to solve this challenge resource.
4106 properties:
4107 selector:
4108 type: object
4109 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
4110 properties:
4111 dnsNames:
4112 type: array
4113 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
4114 items:
4115 type: string
4116 dnsZones:
4117 type: array
4118 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
4119 items:
4120 type: string
4121 matchLabels:
4122 type: object
4123 additionalProperties:
4124 type: string
4125 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
4126 dns01:
4127 type: object
4128 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
4129 properties:
4130 acmedns:
4131 type: object
4132 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
4133 properties:
4134 accountSecretRef:
4135 type: object
4136 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
4137 properties:
4138 name:
4139 type: string
4140 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4141 key:
4142 type: string
4143 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4144 required:
4145 - name
4146 host:
4147 type: string
4148 required:
4149 - accountSecretRef
4150 - host
4151 akamai:
4152 type: object
4153 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
4154 properties:
4155 accessTokenSecretRef:
4156 type: object
4157 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
4158 properties:
4159 name:
4160 type: string
4161 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4162 key:
4163 type: string
4164 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4165 required:
4166 - name
4167 clientSecretSecretRef:
4168 type: object
4169 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
4170 properties:
4171 name:
4172 type: string
4173 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4174 key:
4175 type: string
4176 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4177 required:
4178 - name
4179 clientTokenSecretRef:
4180 type: object
4181 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
4182 properties:
4183 name:
4184 type: string
4185 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4186 key:
4187 type: string
4188 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4189 required:
4190 - name
4191 serviceConsumerDomain:
4192 type: string
4193 required:
4194 - accessTokenSecretRef
4195 - clientSecretSecretRef
4196 - clientTokenSecretRef
4197 - serviceConsumerDomain
4198 azuredns:
4199 type: object
4200 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
4201 properties:
4202 clientID:
4203 type: string
4204 description: if both this and ClientSecret are left unset MSI will be used
4205 clientSecretSecretRef:
4206 type: object
4207 description: if both this and ClientID are left unset MSI will be used
4208 properties:
4209 name:
4210 type: string
4211 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4212 key:
4213 type: string
4214 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4215 required:
4216 - name
4217 environment:
4218 type: string
4219 enum:
4220 - AzurePublicCloud
4221 - AzureChinaCloud
4222 - AzureGermanCloud
4223 - AzureUSGovernmentCloud
4224 hostedZoneName:
4225 type: string
4226 resourceGroupName:
4227 type: string
4228 subscriptionID:
4229 type: string
4230 tenantID:
4231 type: string
4232 description: when specifying ClientID and ClientSecret then this field is also needed
4233 required:
4234 - resourceGroupName
4235 - subscriptionID
4236 clouddns:
4237 type: object
4238 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
4239 properties:
4240 hostedZoneName:
4241 type: string
4242 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
4243 project:
4244 type: string
4245 serviceAccountSecretRef:
4246 type: object
4247 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
4248 properties:
4249 name:
4250 type: string
4251 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4252 key:
4253 type: string
4254 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4255 required:
4256 - name
4257 required:
4258 - project
4259 cloudflare:
4260 type: object
4261 description: Use the Cloudflare API to manage DNS01 challenge records.
4262 properties:
4263 apiKeySecretRef:
4264 type: object
4265 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
4266 properties:
4267 name:
4268 type: string
4269 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4270 key:
4271 type: string
4272 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4273 required:
4274 - name
4275 apiTokenSecretRef:
4276 type: object
4277 description: API token used to authenticate with Cloudflare.
4278 properties:
4279 name:
4280 type: string
4281 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4282 key:
4283 type: string
4284 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4285 required:
4286 - name
4287 email:
4288 type: string
4289 description: Email of the account, only required when using API key based authentication.
4290 cnameStrategy:
4291 type: string
4292 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
4293 enum:
4294 - None
4295 - Follow
4296 digitalocean:
4297 type: object
4298 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
4299 properties:
4300 tokenSecretRef:
4301 type: object
4302 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
4303 properties:
4304 name:
4305 type: string
4306 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4307 key:
4308 type: string
4309 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4310 required:
4311 - name
4312 required:
4313 - tokenSecretRef
4314 rfc2136:
4315 type: object
4316 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
4317 properties:
4318 nameserver:
4319 type: string
4320 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
4321 tsigAlgorithm:
4322 type: string
4323 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
4324 tsigKeyName:
4325 type: string
4326 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
4327 tsigSecretSecretRef:
4328 type: object
4329 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
4330 properties:
4331 name:
4332 type: string
4333 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4334 key:
4335 type: string
4336 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4337 required:
4338 - name
4339 required:
4340 - nameserver
4341 route53:
4342 type: object
4343 description: Use the AWS Route53 API to manage DNS01 challenge records.
4344 properties:
4345 accessKeyID:
4346 type: string
4347 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
4348 hostedZoneID:
4349 type: string
4350 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
4351 region:
4352 type: string
4353 description: Always set the region when using AccessKeyID and SecretAccessKey
4354 role:
4355 type: string
4356 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
4357 secretAccessKeySecretRef:
4358 type: object
4359 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
4360 properties:
4361 name:
4362 type: string
4363 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4364 key:
4365 type: string
4366 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4367 required:
4368 - name
4369 required:
4370 - region
4371 webhook:
4372 type: object
4373 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
4374 properties:
4375 config:
4376 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
4377 x-kubernetes-preserve-unknown-fields: true
4378 groupName:
4379 type: string
4380 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
4381 solverName:
4382 type: string
4383 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
4384 required:
4385 - groupName
4386 - solverName
4387 http01:
4388 type: object
4389 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
4390 properties:
4391 gatewayHTTPRoute:
4392 type: object
4393 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
4394 properties:
4395 labels:
4396 type: object
4397 additionalProperties:
4398 type: string
4399 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
4400 serviceType:
4401 type: string
4402 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
4403 ingress:
4404 type: object
4405 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
4406 properties:
4407 name:
4408 type: string
4409 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
4410 class:
4411 type: string
4412 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
4413 ingressTemplate:
4414 type: object
4415 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges
4416 properties:
4417 metadata:
4418 type: object
4419 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
4420 properties:
4421 labels:
4422 type: object
4423 additionalProperties:
4424 type: string
4425 description: Labels that should be added to the created ACME HTTP01 solver ingress.
4426 annotations:
4427 type: object
4428 additionalProperties:
4429 type: string
4430 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
4431 podTemplate:
4432 type: object
4433 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
4434 properties:
4435 metadata:
4436 type: object
4437 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
4438 properties:
4439 labels:
4440 type: object
4441 additionalProperties:
4442 type: string
4443 description: Labels that should be added to the created ACME HTTP01 solver pods.
4444 annotations:
4445 type: object
4446 additionalProperties:
4447 type: string
4448 description: Annotations that should be added to the create ACME HTTP01 solver pods.
4449 spec:
4450 type: object
4451 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
4452 properties:
4453 serviceAccountName:
4454 type: string
4455 description: If specified, the pod's service account
4456 priorityClassName:
4457 type: string
4458 description: If specified, the pod's priorityClassName.
4459 nodeSelector:
4460 type: object
4461 additionalProperties:
4462 type: string
4463 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
4464 affinity:
4465 type: object
4466 description: If specified, the pod's scheduling constraints
4467 properties:
4468 nodeAffinity:
4469 type: object
4470 description: Describes node affinity scheduling rules for the pod.
4471 properties:
4472 preferredDuringSchedulingIgnoredDuringExecution:
4473 type: array
4474 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
4475 items:
4476 type: object
4477 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
4478 properties:
4479 preference:
4480 type: object
4481 description: A node selector term, associated with the corresponding weight.
4482 properties:
4483 matchExpressions:
4484 type: array
4485 description: A list of node selector requirements by node's labels.
4486 items:
4487 type: object
4488 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4489 properties:
4490 key:
4491 type: string
4492 description: The label key that the selector applies to.
4493 operator:
4494 type: string
4495 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
4496 values:
4497 type: array
4498 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
4499 items:
4500 type: string
4501 required:
4502 - key
4503 - operator
4504 matchFields:
4505 type: array
4506 description: A list of node selector requirements by node's fields.
4507 items:
4508 type: object
4509 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4510 properties:
4511 key:
4512 type: string
4513 description: The label key that the selector applies to.
4514 operator:
4515 type: string
4516 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
4517 values:
4518 type: array
4519 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
4520 items:
4521 type: string
4522 required:
4523 - key
4524 - operator
4525 weight:
4526 type: integer
4527 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
4528 format: int32
4529 required:
4530 - preference
4531 - weight
4532 requiredDuringSchedulingIgnoredDuringExecution:
4533 type: object
4534 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
4535 properties:
4536 nodeSelectorTerms:
4537 type: array
4538 description: Required. A list of node selector terms. The terms are ORed.
4539 items:
4540 type: object
4541 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
4542 properties:
4543 matchExpressions:
4544 type: array
4545 description: A list of node selector requirements by node's labels.
4546 items:
4547 type: object
4548 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4549 properties:
4550 key:
4551 type: string
4552 description: The label key that the selector applies to.
4553 operator:
4554 type: string
4555 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
4556 values:
4557 type: array
4558 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
4559 items:
4560 type: string
4561 required:
4562 - key
4563 - operator
4564 matchFields:
4565 type: array
4566 description: A list of node selector requirements by node's fields.
4567 items:
4568 type: object
4569 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4570 properties:
4571 key:
4572 type: string
4573 description: The label key that the selector applies to.
4574 operator:
4575 type: string
4576 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
4577 values:
4578 type: array
4579 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
4580 items:
4581 type: string
4582 required:
4583 - key
4584 - operator
4585 required:
4586 - nodeSelectorTerms
4587 podAffinity:
4588 type: object
4589 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
4590 properties:
4591 preferredDuringSchedulingIgnoredDuringExecution:
4592 type: array
4593 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
4594 items:
4595 type: object
4596 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
4597 properties:
4598 podAffinityTerm:
4599 type: object
4600 description: Required. A pod affinity term, associated with the corresponding weight.
4601 properties:
4602 labelSelector:
4603 type: object
4604 description: A label query over a set of resources, in this case pods.
4605 properties:
4606 matchExpressions:
4607 type: array
4608 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
4609 items:
4610 type: object
4611 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4612 properties:
4613 key:
4614 type: string
4615 description: key is the label key that the selector applies to.
4616 operator:
4617 type: string
4618 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
4619 values:
4620 type: array
4621 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
4622 items:
4623 type: string
4624 required:
4625 - key
4626 - operator
4627 matchLabels:
4628 type: object
4629 additionalProperties:
4630 type: string
4631 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
4632 namespaceSelector:
4633 type: object
4634 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
4635 properties:
4636 matchExpressions:
4637 type: array
4638 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
4639 items:
4640 type: object
4641 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4642 properties:
4643 key:
4644 type: string
4645 description: key is the label key that the selector applies to.
4646 operator:
4647 type: string
4648 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
4649 values:
4650 type: array
4651 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
4652 items:
4653 type: string
4654 required:
4655 - key
4656 - operator
4657 matchLabels:
4658 type: object
4659 additionalProperties:
4660 type: string
4661 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
4662 namespaces:
4663 type: array
4664 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
4665 items:
4666 type: string
4667 topologyKey:
4668 type: string
4669 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
4670 required:
4671 - topologyKey
4672 weight:
4673 type: integer
4674 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
4675 format: int32
4676 required:
4677 - podAffinityTerm
4678 - weight
4679 requiredDuringSchedulingIgnoredDuringExecution:
4680 type: array
4681 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
4682 items:
4683 type: object
4684 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
4685 properties:
4686 labelSelector:
4687 type: object
4688 description: A label query over a set of resources, in this case pods.
4689 properties:
4690 matchExpressions:
4691 type: array
4692 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
4693 items:
4694 type: object
4695 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4696 properties:
4697 key:
4698 type: string
4699 description: key is the label key that the selector applies to.
4700 operator:
4701 type: string
4702 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
4703 values:
4704 type: array
4705 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
4706 items:
4707 type: string
4708 required:
4709 - key
4710 - operator
4711 matchLabels:
4712 type: object
4713 additionalProperties:
4714 type: string
4715 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
4716 namespaceSelector:
4717 type: object
4718 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
4719 properties:
4720 matchExpressions:
4721 type: array
4722 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
4723 items:
4724 type: object
4725 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4726 properties:
4727 key:
4728 type: string
4729 description: key is the label key that the selector applies to.
4730 operator:
4731 type: string
4732 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
4733 values:
4734 type: array
4735 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
4736 items:
4737 type: string
4738 required:
4739 - key
4740 - operator
4741 matchLabels:
4742 type: object
4743 additionalProperties:
4744 type: string
4745 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
4746 namespaces:
4747 type: array
4748 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
4749 items:
4750 type: string
4751 topologyKey:
4752 type: string
4753 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
4754 required:
4755 - topologyKey
4756 podAntiAffinity:
4757 type: object
4758 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
4759 properties:
4760 preferredDuringSchedulingIgnoredDuringExecution:
4761 type: array
4762 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
4763 items:
4764 type: object
4765 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
4766 properties:
4767 podAffinityTerm:
4768 type: object
4769 description: Required. A pod affinity term, associated with the corresponding weight.
4770 properties:
4771 labelSelector:
4772 type: object
4773 description: A label query over a set of resources, in this case pods.
4774 properties:
4775 matchExpressions:
4776 type: array
4777 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
4778 items:
4779 type: object
4780 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4781 properties:
4782 key:
4783 type: string
4784 description: key is the label key that the selector applies to.
4785 operator:
4786 type: string
4787 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
4788 values:
4789 type: array
4790 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
4791 items:
4792 type: string
4793 required:
4794 - key
4795 - operator
4796 matchLabels:
4797 type: object
4798 additionalProperties:
4799 type: string
4800 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
4801 namespaceSelector:
4802 type: object
4803 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
4804 properties:
4805 matchExpressions:
4806 type: array
4807 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
4808 items:
4809 type: object
4810 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4811 properties:
4812 key:
4813 type: string
4814 description: key is the label key that the selector applies to.
4815 operator:
4816 type: string
4817 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
4818 values:
4819 type: array
4820 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
4821 items:
4822 type: string
4823 required:
4824 - key
4825 - operator
4826 matchLabels:
4827 type: object
4828 additionalProperties:
4829 type: string
4830 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
4831 namespaces:
4832 type: array
4833 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
4834 items:
4835 type: string
4836 topologyKey:
4837 type: string
4838 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
4839 required:
4840 - topologyKey
4841 weight:
4842 type: integer
4843 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
4844 format: int32
4845 required:
4846 - podAffinityTerm
4847 - weight
4848 requiredDuringSchedulingIgnoredDuringExecution:
4849 type: array
4850 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
4851 items:
4852 type: object
4853 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
4854 properties:
4855 labelSelector:
4856 type: object
4857 description: A label query over a set of resources, in this case pods.
4858 properties:
4859 matchExpressions:
4860 type: array
4861 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
4862 items:
4863 type: object
4864 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4865 properties:
4866 key:
4867 type: string
4868 description: key is the label key that the selector applies to.
4869 operator:
4870 type: string
4871 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
4872 values:
4873 type: array
4874 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
4875 items:
4876 type: string
4877 required:
4878 - key
4879 - operator
4880 matchLabels:
4881 type: object
4882 additionalProperties:
4883 type: string
4884 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
4885 namespaceSelector:
4886 type: object
4887 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
4888 properties:
4889 matchExpressions:
4890 type: array
4891 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
4892 items:
4893 type: object
4894 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4895 properties:
4896 key:
4897 type: string
4898 description: key is the label key that the selector applies to.
4899 operator:
4900 type: string
4901 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
4902 values:
4903 type: array
4904 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
4905 items:
4906 type: string
4907 required:
4908 - key
4909 - operator
4910 matchLabels:
4911 type: object
4912 additionalProperties:
4913 type: string
4914 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
4915 namespaces:
4916 type: array
4917 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
4918 items:
4919 type: string
4920 topologyKey:
4921 type: string
4922 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
4923 required:
4924 - topologyKey
4925 tolerations:
4926 type: array
4927 description: If specified, the pod's tolerations.
4928 items:
4929 type: object
4930 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
4931 properties:
4932 value:
4933 type: string
4934 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
4935 effect:
4936 type: string
4937 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
4938 key:
4939 type: string
4940 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
4941 operator:
4942 type: string
4943 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
4944 tolerationSeconds:
4945 type: integer
4946 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
4947 format: int64
4948 serviceType:
4949 type: string
4950 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
4951 token:
4952 type: string
4953 description: Token is the ACME challenge token for this challenge. This is the raw value returned from the ACME server.
4954 url:
4955 type: string
4956 description: URL is the URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge.
4957 wildcard:
4958 type: boolean
4959 description: Wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'.
4960 required:
4961 - authzURL
4962 - dnsName
4963 - issuerRef
4964 - key
4965 - solver
4966 - token
4967 - type
4968 - url
4969 status:
4970 type: object
4971 properties:
4972 presented:
4973 type: boolean
4974 description: Presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured).
4975 processing:
4976 type: boolean
4977 description: Processing is used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action.
4978 reason:
4979 type: string
4980 description: Reason contains human readable information on why the Challenge is in the current state.
4981 state:
4982 type: string
4983 description: State contains the current 'state' of the challenge. If not set, the state of the challenge is unknown.
4984 enum:
4985 - valid
4986 - ready
4987 - pending
4988 - processing
4989 - invalid
4990 - expired
4991 - errored
4992 required:
4993 - metadata
4994 served: true
4995 storage: false
4996 subresources:
4997 status: {}
4998 - name: v1beta1
4999 additionalPrinterColumns:
5000 - name: State
5001 type: string
5002 jsonPath: .status.state
5003 - name: Domain
5004 type: string
5005 jsonPath: .spec.dnsName
5006 - name: Reason
5007 type: string
5008 priority: 1
5009 jsonPath: .status.reason
5010 - name: Age
5011 type: date
5012 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
5013 jsonPath: .metadata.creationTimestamp
5014 schema:
5015 openAPIV3Schema:
5016 type: object
5017 description: Challenge is a type to represent a Challenge request with an ACME server
5018 properties:
5019 apiVersion:
5020 type: string
5021 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
5022 kind:
5023 type: string
5024 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
5025 metadata:
5026 type: object
5027 spec:
5028 type: object
5029 properties:
5030 type:
5031 type: string
5032 description: The type of ACME challenge this resource represents. One of "HTTP-01" or "DNS-01".
5033 enum:
5034 - HTTP-01
5035 - DNS-01
5036 authorizationURL:
5037 type: string
5038 description: The URL to the ACME Authorization resource that this challenge is a part of.
5039 dnsName:
5040 type: string
5041 description: dnsName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
5042 issuerRef:
5043 type: object
5044 description: References a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed.
5045 properties:
5046 name:
5047 type: string
5048 description: Name of the resource being referred to.
5049 kind:
5050 type: string
5051 description: Kind of the resource being referred to.
5052 group:
5053 type: string
5054 description: Group of the resource being referred to.
5055 required:
5056 - name
5057 key:
5058 type: string
5059 description: 'The ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key from acme server for challenge>`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key from acme server for challenge>` text that must be set as the TXT record content.'
5060 solver:
5061 type: object
5062 description: Contains the domain solving configuration that should be used to solve this challenge resource.
5063 properties:
5064 selector:
5065 type: object
5066 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
5067 properties:
5068 dnsNames:
5069 type: array
5070 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
5071 items:
5072 type: string
5073 dnsZones:
5074 type: array
5075 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
5076 items:
5077 type: string
5078 matchLabels:
5079 type: object
5080 additionalProperties:
5081 type: string
5082 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
5083 dns01:
5084 type: object
5085 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
5086 properties:
5087 acmeDNS:
5088 type: object
5089 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
5090 properties:
5091 accountSecretRef:
5092 type: object
5093 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
5094 properties:
5095 name:
5096 type: string
5097 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5098 key:
5099 type: string
5100 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5101 required:
5102 - name
5103 host:
5104 type: string
5105 required:
5106 - accountSecretRef
5107 - host
5108 akamai:
5109 type: object
5110 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
5111 properties:
5112 accessTokenSecretRef:
5113 type: object
5114 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
5115 properties:
5116 name:
5117 type: string
5118 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5119 key:
5120 type: string
5121 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5122 required:
5123 - name
5124 clientSecretSecretRef:
5125 type: object
5126 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
5127 properties:
5128 name:
5129 type: string
5130 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5131 key:
5132 type: string
5133 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5134 required:
5135 - name
5136 clientTokenSecretRef:
5137 type: object
5138 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
5139 properties:
5140 name:
5141 type: string
5142 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5143 key:
5144 type: string
5145 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5146 required:
5147 - name
5148 serviceConsumerDomain:
5149 type: string
5150 required:
5151 - accessTokenSecretRef
5152 - clientSecretSecretRef
5153 - clientTokenSecretRef
5154 - serviceConsumerDomain
5155 azureDNS:
5156 type: object
5157 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
5158 properties:
5159 clientID:
5160 type: string
5161 description: if both this and ClientSecret are left unset MSI will be used
5162 clientSecretSecretRef:
5163 type: object
5164 description: if both this and ClientID are left unset MSI will be used
5165 properties:
5166 name:
5167 type: string
5168 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5169 key:
5170 type: string
5171 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5172 required:
5173 - name
5174 environment:
5175 type: string
5176 enum:
5177 - AzurePublicCloud
5178 - AzureChinaCloud
5179 - AzureGermanCloud
5180 - AzureUSGovernmentCloud
5181 hostedZoneName:
5182 type: string
5183 resourceGroupName:
5184 type: string
5185 subscriptionID:
5186 type: string
5187 tenantID:
5188 type: string
5189 description: when specifying ClientID and ClientSecret then this field is also needed
5190 required:
5191 - resourceGroupName
5192 - subscriptionID
5193 cloudDNS:
5194 type: object
5195 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
5196 properties:
5197 hostedZoneName:
5198 type: string
5199 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
5200 project:
5201 type: string
5202 serviceAccountSecretRef:
5203 type: object
5204 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
5205 properties:
5206 name:
5207 type: string
5208 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5209 key:
5210 type: string
5211 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5212 required:
5213 - name
5214 required:
5215 - project
5216 cloudflare:
5217 type: object
5218 description: Use the Cloudflare API to manage DNS01 challenge records.
5219 properties:
5220 apiKeySecretRef:
5221 type: object
5222 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
5223 properties:
5224 name:
5225 type: string
5226 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5227 key:
5228 type: string
5229 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5230 required:
5231 - name
5232 apiTokenSecretRef:
5233 type: object
5234 description: API token used to authenticate with Cloudflare.
5235 properties:
5236 name:
5237 type: string
5238 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5239 key:
5240 type: string
5241 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5242 required:
5243 - name
5244 email:
5245 type: string
5246 description: Email of the account, only required when using API key based authentication.
5247 cnameStrategy:
5248 type: string
5249 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
5250 enum:
5251 - None
5252 - Follow
5253 digitalocean:
5254 type: object
5255 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
5256 properties:
5257 tokenSecretRef:
5258 type: object
5259 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
5260 properties:
5261 name:
5262 type: string
5263 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5264 key:
5265 type: string
5266 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5267 required:
5268 - name
5269 required:
5270 - tokenSecretRef
5271 rfc2136:
5272 type: object
5273 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
5274 properties:
5275 nameserver:
5276 type: string
5277 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
5278 tsigAlgorithm:
5279 type: string
5280 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
5281 tsigKeyName:
5282 type: string
5283 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
5284 tsigSecretSecretRef:
5285 type: object
5286 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
5287 properties:
5288 name:
5289 type: string
5290 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5291 key:
5292 type: string
5293 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5294 required:
5295 - name
5296 required:
5297 - nameserver
5298 route53:
5299 type: object
5300 description: Use the AWS Route53 API to manage DNS01 challenge records.
5301 properties:
5302 accessKeyID:
5303 type: string
5304 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
5305 hostedZoneID:
5306 type: string
5307 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
5308 region:
5309 type: string
5310 description: Always set the region when using AccessKeyID and SecretAccessKey
5311 role:
5312 type: string
5313 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
5314 secretAccessKeySecretRef:
5315 type: object
5316 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
5317 properties:
5318 name:
5319 type: string
5320 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5321 key:
5322 type: string
5323 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5324 required:
5325 - name
5326 required:
5327 - region
5328 webhook:
5329 type: object
5330 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
5331 properties:
5332 config:
5333 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
5334 x-kubernetes-preserve-unknown-fields: true
5335 groupName:
5336 type: string
5337 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
5338 solverName:
5339 type: string
5340 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
5341 required:
5342 - groupName
5343 - solverName
5344 http01:
5345 type: object
5346 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
5347 properties:
5348 gatewayHTTPRoute:
5349 type: object
5350 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
5351 properties:
5352 labels:
5353 type: object
5354 additionalProperties:
5355 type: string
5356 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
5357 serviceType:
5358 type: string
5359 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
5360 ingress:
5361 type: object
5362 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
5363 properties:
5364 name:
5365 type: string
5366 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
5367 class:
5368 type: string
5369 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
5370 ingressTemplate:
5371 type: object
5372 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
5373 properties:
5374 metadata:
5375 type: object
5376 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
5377 properties:
5378 labels:
5379 type: object
5380 additionalProperties:
5381 type: string
5382 description: Labels that should be added to the created ACME HTTP01 solver ingress.
5383 annotations:
5384 type: object
5385 additionalProperties:
5386 type: string
5387 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
5388 podTemplate:
5389 type: object
5390 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges
5391 properties:
5392 metadata:
5393 type: object
5394 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
5395 properties:
5396 labels:
5397 type: object
5398 additionalProperties:
5399 type: string
5400 description: Labels that should be added to the created ACME HTTP01 solver pods.
5401 annotations:
5402 type: object
5403 additionalProperties:
5404 type: string
5405 description: Annotations that should be added to the create ACME HTTP01 solver pods.
5406 spec:
5407 type: object
5408 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
5409 properties:
5410 serviceAccountName:
5411 type: string
5412 description: If specified, the pod's service account
5413 priorityClassName:
5414 type: string
5415 description: If specified, the pod's priorityClassName.
5416 nodeSelector:
5417 type: object
5418 additionalProperties:
5419 type: string
5420 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
5421 affinity:
5422 type: object
5423 description: If specified, the pod's scheduling constraints
5424 properties:
5425 nodeAffinity:
5426 type: object
5427 description: Describes node affinity scheduling rules for the pod.
5428 properties:
5429 preferredDuringSchedulingIgnoredDuringExecution:
5430 type: array
5431 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
5432 items:
5433 type: object
5434 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
5435 properties:
5436 preference:
5437 type: object
5438 description: A node selector term, associated with the corresponding weight.
5439 properties:
5440 matchExpressions:
5441 type: array
5442 description: A list of node selector requirements by node's labels.
5443 items:
5444 type: object
5445 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5446 properties:
5447 key:
5448 type: string
5449 description: The label key that the selector applies to.
5450 operator:
5451 type: string
5452 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
5453 values:
5454 type: array
5455 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
5456 items:
5457 type: string
5458 required:
5459 - key
5460 - operator
5461 matchFields:
5462 type: array
5463 description: A list of node selector requirements by node's fields.
5464 items:
5465 type: object
5466 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5467 properties:
5468 key:
5469 type: string
5470 description: The label key that the selector applies to.
5471 operator:
5472 type: string
5473 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
5474 values:
5475 type: array
5476 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
5477 items:
5478 type: string
5479 required:
5480 - key
5481 - operator
5482 weight:
5483 type: integer
5484 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
5485 format: int32
5486 required:
5487 - preference
5488 - weight
5489 requiredDuringSchedulingIgnoredDuringExecution:
5490 type: object
5491 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
5492 properties:
5493 nodeSelectorTerms:
5494 type: array
5495 description: Required. A list of node selector terms. The terms are ORed.
5496 items:
5497 type: object
5498 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
5499 properties:
5500 matchExpressions:
5501 type: array
5502 description: A list of node selector requirements by node's labels.
5503 items:
5504 type: object
5505 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5506 properties:
5507 key:
5508 type: string
5509 description: The label key that the selector applies to.
5510 operator:
5511 type: string
5512 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
5513 values:
5514 type: array
5515 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
5516 items:
5517 type: string
5518 required:
5519 - key
5520 - operator
5521 matchFields:
5522 type: array
5523 description: A list of node selector requirements by node's fields.
5524 items:
5525 type: object
5526 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5527 properties:
5528 key:
5529 type: string
5530 description: The label key that the selector applies to.
5531 operator:
5532 type: string
5533 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
5534 values:
5535 type: array
5536 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
5537 items:
5538 type: string
5539 required:
5540 - key
5541 - operator
5542 required:
5543 - nodeSelectorTerms
5544 podAffinity:
5545 type: object
5546 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
5547 properties:
5548 preferredDuringSchedulingIgnoredDuringExecution:
5549 type: array
5550 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
5551 items:
5552 type: object
5553 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
5554 properties:
5555 podAffinityTerm:
5556 type: object
5557 description: Required. A pod affinity term, associated with the corresponding weight.
5558 properties:
5559 labelSelector:
5560 type: object
5561 description: A label query over a set of resources, in this case pods.
5562 properties:
5563 matchExpressions:
5564 type: array
5565 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5566 items:
5567 type: object
5568 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5569 properties:
5570 key:
5571 type: string
5572 description: key is the label key that the selector applies to.
5573 operator:
5574 type: string
5575 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
5576 values:
5577 type: array
5578 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
5579 items:
5580 type: string
5581 required:
5582 - key
5583 - operator
5584 matchLabels:
5585 type: object
5586 additionalProperties:
5587 type: string
5588 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
5589 namespaceSelector:
5590 type: object
5591 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
5592 properties:
5593 matchExpressions:
5594 type: array
5595 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5596 items:
5597 type: object
5598 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5599 properties:
5600 key:
5601 type: string
5602 description: key is the label key that the selector applies to.
5603 operator:
5604 type: string
5605 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
5606 values:
5607 type: array
5608 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
5609 items:
5610 type: string
5611 required:
5612 - key
5613 - operator
5614 matchLabels:
5615 type: object
5616 additionalProperties:
5617 type: string
5618 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
5619 namespaces:
5620 type: array
5621 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
5622 items:
5623 type: string
5624 topologyKey:
5625 type: string
5626 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
5627 required:
5628 - topologyKey
5629 weight:
5630 type: integer
5631 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
5632 format: int32
5633 required:
5634 - podAffinityTerm
5635 - weight
5636 requiredDuringSchedulingIgnoredDuringExecution:
5637 type: array
5638 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
5639 items:
5640 type: object
5641 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
5642 properties:
5643 labelSelector:
5644 type: object
5645 description: A label query over a set of resources, in this case pods.
5646 properties:
5647 matchExpressions:
5648 type: array
5649 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5650 items:
5651 type: object
5652 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5653 properties:
5654 key:
5655 type: string
5656 description: key is the label key that the selector applies to.
5657 operator:
5658 type: string
5659 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
5660 values:
5661 type: array
5662 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
5663 items:
5664 type: string
5665 required:
5666 - key
5667 - operator
5668 matchLabels:
5669 type: object
5670 additionalProperties:
5671 type: string
5672 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
5673 namespaceSelector:
5674 type: object
5675 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
5676 properties:
5677 matchExpressions:
5678 type: array
5679 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5680 items:
5681 type: object
5682 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5683 properties:
5684 key:
5685 type: string
5686 description: key is the label key that the selector applies to.
5687 operator:
5688 type: string
5689 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
5690 values:
5691 type: array
5692 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
5693 items:
5694 type: string
5695 required:
5696 - key
5697 - operator
5698 matchLabels:
5699 type: object
5700 additionalProperties:
5701 type: string
5702 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
5703 namespaces:
5704 type: array
5705 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
5706 items:
5707 type: string
5708 topologyKey:
5709 type: string
5710 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
5711 required:
5712 - topologyKey
5713 podAntiAffinity:
5714 type: object
5715 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
5716 properties:
5717 preferredDuringSchedulingIgnoredDuringExecution:
5718 type: array
5719 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
5720 items:
5721 type: object
5722 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
5723 properties:
5724 podAffinityTerm:
5725 type: object
5726 description: Required. A pod affinity term, associated with the corresponding weight.
5727 properties:
5728 labelSelector:
5729 type: object
5730 description: A label query over a set of resources, in this case pods.
5731 properties:
5732 matchExpressions:
5733 type: array
5734 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5735 items:
5736 type: object
5737 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5738 properties:
5739 key:
5740 type: string
5741 description: key is the label key that the selector applies to.
5742 operator:
5743 type: string
5744 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
5745 values:
5746 type: array
5747 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
5748 items:
5749 type: string
5750 required:
5751 - key
5752 - operator
5753 matchLabels:
5754 type: object
5755 additionalProperties:
5756 type: string
5757 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
5758 namespaceSelector:
5759 type: object
5760 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
5761 properties:
5762 matchExpressions:
5763 type: array
5764 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5765 items:
5766 type: object
5767 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5768 properties:
5769 key:
5770 type: string
5771 description: key is the label key that the selector applies to.
5772 operator:
5773 type: string
5774 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
5775 values:
5776 type: array
5777 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
5778 items:
5779 type: string
5780 required:
5781 - key
5782 - operator
5783 matchLabels:
5784 type: object
5785 additionalProperties:
5786 type: string
5787 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
5788 namespaces:
5789 type: array
5790 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
5791 items:
5792 type: string
5793 topologyKey:
5794 type: string
5795 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
5796 required:
5797 - topologyKey
5798 weight:
5799 type: integer
5800 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
5801 format: int32
5802 required:
5803 - podAffinityTerm
5804 - weight
5805 requiredDuringSchedulingIgnoredDuringExecution:
5806 type: array
5807 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
5808 items:
5809 type: object
5810 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
5811 properties:
5812 labelSelector:
5813 type: object
5814 description: A label query over a set of resources, in this case pods.
5815 properties:
5816 matchExpressions:
5817 type: array
5818 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5819 items:
5820 type: object
5821 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5822 properties:
5823 key:
5824 type: string
5825 description: key is the label key that the selector applies to.
5826 operator:
5827 type: string
5828 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
5829 values:
5830 type: array
5831 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
5832 items:
5833 type: string
5834 required:
5835 - key
5836 - operator
5837 matchLabels:
5838 type: object
5839 additionalProperties:
5840 type: string
5841 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
5842 namespaceSelector:
5843 type: object
5844 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
5845 properties:
5846 matchExpressions:
5847 type: array
5848 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5849 items:
5850 type: object
5851 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5852 properties:
5853 key:
5854 type: string
5855 description: key is the label key that the selector applies to.
5856 operator:
5857 type: string
5858 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
5859 values:
5860 type: array
5861 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
5862 items:
5863 type: string
5864 required:
5865 - key
5866 - operator
5867 matchLabels:
5868 type: object
5869 additionalProperties:
5870 type: string
5871 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
5872 namespaces:
5873 type: array
5874 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
5875 items:
5876 type: string
5877 topologyKey:
5878 type: string
5879 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
5880 required:
5881 - topologyKey
5882 tolerations:
5883 type: array
5884 description: If specified, the pod's tolerations.
5885 items:
5886 type: object
5887 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
5888 properties:
5889 value:
5890 type: string
5891 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
5892 effect:
5893 type: string
5894 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
5895 key:
5896 type: string
5897 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
5898 operator:
5899 type: string
5900 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
5901 tolerationSeconds:
5902 type: integer
5903 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
5904 format: int64
5905 serviceType:
5906 type: string
5907 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
5908 token:
5909 type: string
5910 description: The ACME challenge token for this challenge. This is the raw value returned from the ACME server.
5911 url:
5912 type: string
5913 description: The URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge.
5914 wildcard:
5915 type: boolean
5916 description: wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'.
5917 required:
5918 - authorizationURL
5919 - dnsName
5920 - issuerRef
5921 - key
5922 - solver
5923 - token
5924 - type
5925 - url
5926 status:
5927 type: object
5928 properties:
5929 presented:
5930 type: boolean
5931 description: presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured).
5932 processing:
5933 type: boolean
5934 description: Used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action.
5935 reason:
5936 type: string
5937 description: Contains human readable information on why the Challenge is in the current state.
5938 state:
5939 type: string
5940 description: Contains the current 'state' of the challenge. If not set, the state of the challenge is unknown.
5941 enum:
5942 - valid
5943 - ready
5944 - pending
5945 - processing
5946 - invalid
5947 - expired
5948 - errored
5949 required:
5950 - metadata
5951 - spec
5952 served: true
5953 storage: false
5954 subresources:
5955 status: {}
5956---
5957# Source: cert-manager/templates/templates.out
5958apiVersion: apiextensions.k8s.io/v1
5959kind: CustomResourceDefinition
5960metadata:
5961 name: clusterissuers.cert-manager.io
5962 labels:
5963 app: 'cert-manager'
5964 app.kubernetes.io/instance: 'cert-manager'
5965 app.kubernetes.io/name: 'cert-manager'
5966 # Generated labels
5967 app.kubernetes.io/version: "v1.5.4"
5968 annotations:
5969 cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
5970 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
5971 pallet.edge.ncr.com/name: cert-manager
5972 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
5973 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
5974 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
5975 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
5976spec:
5977 conversion:
5978 # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
5979 strategy: Webhook
5980 # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
5981 webhook:
5982 clientConfig:
5983 #
5984 service:
5985 name: 'cert-manager-webhook'
5986 namespace: "cert-manager"
5987 path: /convert
5988 #
5989 # We don't actually support `v1beta1` but is listed here as it is a
5990 # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The
5991 # API server reads the supported versions in order, so _should always_
5992 # attempt a `v1` request which is understood by the cert-manager webhook.
5993 # Any `v1beta1` request will return an error and fail closed for that
5994 # resource (the whole object request is rejected).
5995 # When we no longer support v1.16 we can remove `v1beta1` from this list.
5996 conversionReviewVersions: ["v1", "v1beta1"]
5997 group: cert-manager.io
5998 names:
5999 kind: ClusterIssuer
6000 categories:
6001 - cert-manager
6002 listKind: ClusterIssuerList
6003 plural: clusterissuers
6004 singular: clusterissuer
6005 scope: Cluster
6006 versions:
6007 - name: v1
6008 additionalPrinterColumns:
6009 - name: Ready
6010 type: string
6011 jsonPath: .status.conditions[?(@.type=="Ready")].status
6012 - name: Status
6013 type: string
6014 priority: 1
6015 jsonPath: .status.conditions[?(@.type=="Ready")].message
6016 - name: Age
6017 type: date
6018 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
6019 jsonPath: .metadata.creationTimestamp
6020 schema:
6021 openAPIV3Schema:
6022 type: object
6023 description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent.
6024 properties:
6025 apiVersion:
6026 type: string
6027 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
6028 kind:
6029 type: string
6030 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
6031 metadata:
6032 type: object
6033 spec:
6034 type: object
6035 description: Desired state of the ClusterIssuer resource.
6036 properties:
6037 acme:
6038 type: object
6039 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
6040 properties:
6041 disableAccountKeyGeneration:
6042 type: boolean
6043 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
6044 email:
6045 type: string
6046 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
6047 enableDurationFeature:
6048 type: boolean
6049 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
6050 externalAccountBinding:
6051 type: object
6052 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
6053 properties:
6054 keyAlgorithm:
6055 type: string
6056 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
6057 enum:
6058 - HS256
6059 - HS384
6060 - HS512
6061 keyID:
6062 type: string
6063 description: keyID is the ID of the CA key that the External Account is bound to.
6064 keySecretRef:
6065 type: object
6066 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
6067 properties:
6068 name:
6069 type: string
6070 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6071 key:
6072 type: string
6073 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6074 required:
6075 - name
6076 required:
6077 - keyID
6078 - keySecretRef
6079 preferredChain:
6080 type: string
6081 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
6082 maxLength: 64
6083 privateKeySecretRef:
6084 type: object
6085 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
6086 properties:
6087 name:
6088 type: string
6089 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6090 key:
6091 type: string
6092 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6093 required:
6094 - name
6095 server:
6096 type: string
6097 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
6098 skipTLSVerify:
6099 type: boolean
6100 description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
6101 solvers:
6102 type: array
6103 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
6104 items:
6105 type: object
6106 description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided.
6107 properties:
6108 selector:
6109 type: object
6110 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
6111 properties:
6112 dnsNames:
6113 type: array
6114 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
6115 items:
6116 type: string
6117 dnsZones:
6118 type: array
6119 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
6120 items:
6121 type: string
6122 matchLabels:
6123 type: object
6124 additionalProperties:
6125 type: string
6126 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
6127 dns01:
6128 type: object
6129 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
6130 properties:
6131 acmeDNS:
6132 type: object
6133 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
6134 properties:
6135 accountSecretRef:
6136 type: object
6137 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
6138 properties:
6139 name:
6140 type: string
6141 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6142 key:
6143 type: string
6144 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6145 required:
6146 - name
6147 host:
6148 type: string
6149 required:
6150 - accountSecretRef
6151 - host
6152 akamai:
6153 type: object
6154 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
6155 properties:
6156 accessTokenSecretRef:
6157 type: object
6158 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
6159 properties:
6160 name:
6161 type: string
6162 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6163 key:
6164 type: string
6165 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6166 required:
6167 - name
6168 clientSecretSecretRef:
6169 type: object
6170 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
6171 properties:
6172 name:
6173 type: string
6174 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6175 key:
6176 type: string
6177 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6178 required:
6179 - name
6180 clientTokenSecretRef:
6181 type: object
6182 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
6183 properties:
6184 name:
6185 type: string
6186 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6187 key:
6188 type: string
6189 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6190 required:
6191 - name
6192 serviceConsumerDomain:
6193 type: string
6194 required:
6195 - accessTokenSecretRef
6196 - clientSecretSecretRef
6197 - clientTokenSecretRef
6198 - serviceConsumerDomain
6199 azureDNS:
6200 type: object
6201 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
6202 properties:
6203 clientID:
6204 type: string
6205 description: if both this and ClientSecret are left unset MSI will be used
6206 clientSecretSecretRef:
6207 type: object
6208 description: if both this and ClientID are left unset MSI will be used
6209 properties:
6210 name:
6211 type: string
6212 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6213 key:
6214 type: string
6215 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6216 required:
6217 - name
6218 environment:
6219 type: string
6220 enum:
6221 - AzurePublicCloud
6222 - AzureChinaCloud
6223 - AzureGermanCloud
6224 - AzureUSGovernmentCloud
6225 hostedZoneName:
6226 type: string
6227 resourceGroupName:
6228 type: string
6229 subscriptionID:
6230 type: string
6231 tenantID:
6232 type: string
6233 description: when specifying ClientID and ClientSecret then this field is also needed
6234 required:
6235 - resourceGroupName
6236 - subscriptionID
6237 cloudDNS:
6238 type: object
6239 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
6240 properties:
6241 hostedZoneName:
6242 type: string
6243 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
6244 project:
6245 type: string
6246 serviceAccountSecretRef:
6247 type: object
6248 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
6249 properties:
6250 name:
6251 type: string
6252 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6253 key:
6254 type: string
6255 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6256 required:
6257 - name
6258 required:
6259 - project
6260 cloudflare:
6261 type: object
6262 description: Use the Cloudflare API to manage DNS01 challenge records.
6263 properties:
6264 apiKeySecretRef:
6265 type: object
6266 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
6267 properties:
6268 name:
6269 type: string
6270 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6271 key:
6272 type: string
6273 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6274 required:
6275 - name
6276 apiTokenSecretRef:
6277 type: object
6278 description: API token used to authenticate with Cloudflare.
6279 properties:
6280 name:
6281 type: string
6282 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6283 key:
6284 type: string
6285 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6286 required:
6287 - name
6288 email:
6289 type: string
6290 description: Email of the account, only required when using API key based authentication.
6291 cnameStrategy:
6292 type: string
6293 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
6294 enum:
6295 - None
6296 - Follow
6297 digitalocean:
6298 type: object
6299 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
6300 properties:
6301 tokenSecretRef:
6302 type: object
6303 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
6304 properties:
6305 name:
6306 type: string
6307 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6308 key:
6309 type: string
6310 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6311 required:
6312 - name
6313 required:
6314 - tokenSecretRef
6315 rfc2136:
6316 type: object
6317 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
6318 properties:
6319 nameserver:
6320 type: string
6321 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
6322 tsigAlgorithm:
6323 type: string
6324 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
6325 tsigKeyName:
6326 type: string
6327 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
6328 tsigSecretSecretRef:
6329 type: object
6330 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
6331 properties:
6332 name:
6333 type: string
6334 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6335 key:
6336 type: string
6337 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6338 required:
6339 - name
6340 required:
6341 - nameserver
6342 route53:
6343 type: object
6344 description: Use the AWS Route53 API to manage DNS01 challenge records.
6345 properties:
6346 accessKeyID:
6347 type: string
6348 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
6349 hostedZoneID:
6350 type: string
6351 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
6352 region:
6353 type: string
6354 description: Always set the region when using AccessKeyID and SecretAccessKey
6355 role:
6356 type: string
6357 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
6358 secretAccessKeySecretRef:
6359 type: object
6360 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
6361 properties:
6362 name:
6363 type: string
6364 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6365 key:
6366 type: string
6367 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6368 required:
6369 - name
6370 required:
6371 - region
6372 webhook:
6373 type: object
6374 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
6375 properties:
6376 config:
6377 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
6378 x-kubernetes-preserve-unknown-fields: true
6379 groupName:
6380 type: string
6381 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
6382 solverName:
6383 type: string
6384 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
6385 required:
6386 - groupName
6387 - solverName
6388 http01:
6389 type: object
6390 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
6391 properties:
6392 gatewayHTTPRoute:
6393 type: object
6394 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
6395 properties:
6396 labels:
6397 type: object
6398 additionalProperties:
6399 type: string
6400 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
6401 serviceType:
6402 type: string
6403 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
6404 ingress:
6405 type: object
6406 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
6407 properties:
6408 name:
6409 type: string
6410 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
6411 class:
6412 type: string
6413 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
6414 ingressTemplate:
6415 type: object
6416 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
6417 properties:
6418 metadata:
6419 type: object
6420 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
6421 properties:
6422 labels:
6423 type: object
6424 additionalProperties:
6425 type: string
6426 description: Labels that should be added to the created ACME HTTP01 solver ingress.
6427 annotations:
6428 type: object
6429 additionalProperties:
6430 type: string
6431 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
6432 podTemplate:
6433 type: object
6434 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
6435 properties:
6436 metadata:
6437 type: object
6438 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
6439 properties:
6440 labels:
6441 type: object
6442 additionalProperties:
6443 type: string
6444 description: Labels that should be added to the created ACME HTTP01 solver pods.
6445 annotations:
6446 type: object
6447 additionalProperties:
6448 type: string
6449 description: Annotations that should be added to the create ACME HTTP01 solver pods.
6450 spec:
6451 type: object
6452 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
6453 properties:
6454 serviceAccountName:
6455 type: string
6456 description: If specified, the pod's service account
6457 priorityClassName:
6458 type: string
6459 description: If specified, the pod's priorityClassName.
6460 nodeSelector:
6461 type: object
6462 additionalProperties:
6463 type: string
6464 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
6465 affinity:
6466 type: object
6467 description: If specified, the pod's scheduling constraints
6468 properties:
6469 nodeAffinity:
6470 type: object
6471 description: Describes node affinity scheduling rules for the pod.
6472 properties:
6473 preferredDuringSchedulingIgnoredDuringExecution:
6474 type: array
6475 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
6476 items:
6477 type: object
6478 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
6479 properties:
6480 preference:
6481 type: object
6482 description: A node selector term, associated with the corresponding weight.
6483 properties:
6484 matchExpressions:
6485 type: array
6486 description: A list of node selector requirements by node's labels.
6487 items:
6488 type: object
6489 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6490 properties:
6491 key:
6492 type: string
6493 description: The label key that the selector applies to.
6494 operator:
6495 type: string
6496 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
6497 values:
6498 type: array
6499 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
6500 items:
6501 type: string
6502 required:
6503 - key
6504 - operator
6505 matchFields:
6506 type: array
6507 description: A list of node selector requirements by node's fields.
6508 items:
6509 type: object
6510 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6511 properties:
6512 key:
6513 type: string
6514 description: The label key that the selector applies to.
6515 operator:
6516 type: string
6517 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
6518 values:
6519 type: array
6520 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
6521 items:
6522 type: string
6523 required:
6524 - key
6525 - operator
6526 weight:
6527 type: integer
6528 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
6529 format: int32
6530 required:
6531 - preference
6532 - weight
6533 requiredDuringSchedulingIgnoredDuringExecution:
6534 type: object
6535 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
6536 properties:
6537 nodeSelectorTerms:
6538 type: array
6539 description: Required. A list of node selector terms. The terms are ORed.
6540 items:
6541 type: object
6542 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
6543 properties:
6544 matchExpressions:
6545 type: array
6546 description: A list of node selector requirements by node's labels.
6547 items:
6548 type: object
6549 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6550 properties:
6551 key:
6552 type: string
6553 description: The label key that the selector applies to.
6554 operator:
6555 type: string
6556 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
6557 values:
6558 type: array
6559 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
6560 items:
6561 type: string
6562 required:
6563 - key
6564 - operator
6565 matchFields:
6566 type: array
6567 description: A list of node selector requirements by node's fields.
6568 items:
6569 type: object
6570 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6571 properties:
6572 key:
6573 type: string
6574 description: The label key that the selector applies to.
6575 operator:
6576 type: string
6577 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
6578 values:
6579 type: array
6580 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
6581 items:
6582 type: string
6583 required:
6584 - key
6585 - operator
6586 required:
6587 - nodeSelectorTerms
6588 podAffinity:
6589 type: object
6590 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
6591 properties:
6592 preferredDuringSchedulingIgnoredDuringExecution:
6593 type: array
6594 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
6595 items:
6596 type: object
6597 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
6598 properties:
6599 podAffinityTerm:
6600 type: object
6601 description: Required. A pod affinity term, associated with the corresponding weight.
6602 properties:
6603 labelSelector:
6604 type: object
6605 description: A label query over a set of resources, in this case pods.
6606 properties:
6607 matchExpressions:
6608 type: array
6609 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6610 items:
6611 type: object
6612 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6613 properties:
6614 key:
6615 type: string
6616 description: key is the label key that the selector applies to.
6617 operator:
6618 type: string
6619 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
6620 values:
6621 type: array
6622 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
6623 items:
6624 type: string
6625 required:
6626 - key
6627 - operator
6628 matchLabels:
6629 type: object
6630 additionalProperties:
6631 type: string
6632 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
6633 namespaceSelector:
6634 type: object
6635 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
6636 properties:
6637 matchExpressions:
6638 type: array
6639 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6640 items:
6641 type: object
6642 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6643 properties:
6644 key:
6645 type: string
6646 description: key is the label key that the selector applies to.
6647 operator:
6648 type: string
6649 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
6650 values:
6651 type: array
6652 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
6653 items:
6654 type: string
6655 required:
6656 - key
6657 - operator
6658 matchLabels:
6659 type: object
6660 additionalProperties:
6661 type: string
6662 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
6663 namespaces:
6664 type: array
6665 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
6666 items:
6667 type: string
6668 topologyKey:
6669 type: string
6670 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
6671 required:
6672 - topologyKey
6673 weight:
6674 type: integer
6675 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
6676 format: int32
6677 required:
6678 - podAffinityTerm
6679 - weight
6680 requiredDuringSchedulingIgnoredDuringExecution:
6681 type: array
6682 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
6683 items:
6684 type: object
6685 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
6686 properties:
6687 labelSelector:
6688 type: object
6689 description: A label query over a set of resources, in this case pods.
6690 properties:
6691 matchExpressions:
6692 type: array
6693 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6694 items:
6695 type: object
6696 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6697 properties:
6698 key:
6699 type: string
6700 description: key is the label key that the selector applies to.
6701 operator:
6702 type: string
6703 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
6704 values:
6705 type: array
6706 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
6707 items:
6708 type: string
6709 required:
6710 - key
6711 - operator
6712 matchLabels:
6713 type: object
6714 additionalProperties:
6715 type: string
6716 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
6717 namespaceSelector:
6718 type: object
6719 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
6720 properties:
6721 matchExpressions:
6722 type: array
6723 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6724 items:
6725 type: object
6726 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6727 properties:
6728 key:
6729 type: string
6730 description: key is the label key that the selector applies to.
6731 operator:
6732 type: string
6733 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
6734 values:
6735 type: array
6736 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
6737 items:
6738 type: string
6739 required:
6740 - key
6741 - operator
6742 matchLabels:
6743 type: object
6744 additionalProperties:
6745 type: string
6746 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
6747 namespaces:
6748 type: array
6749 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
6750 items:
6751 type: string
6752 topologyKey:
6753 type: string
6754 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
6755 required:
6756 - topologyKey
6757 podAntiAffinity:
6758 type: object
6759 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
6760 properties:
6761 preferredDuringSchedulingIgnoredDuringExecution:
6762 type: array
6763 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
6764 items:
6765 type: object
6766 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
6767 properties:
6768 podAffinityTerm:
6769 type: object
6770 description: Required. A pod affinity term, associated with the corresponding weight.
6771 properties:
6772 labelSelector:
6773 type: object
6774 description: A label query over a set of resources, in this case pods.
6775 properties:
6776 matchExpressions:
6777 type: array
6778 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6779 items:
6780 type: object
6781 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6782 properties:
6783 key:
6784 type: string
6785 description: key is the label key that the selector applies to.
6786 operator:
6787 type: string
6788 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
6789 values:
6790 type: array
6791 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
6792 items:
6793 type: string
6794 required:
6795 - key
6796 - operator
6797 matchLabels:
6798 type: object
6799 additionalProperties:
6800 type: string
6801 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
6802 namespaceSelector:
6803 type: object
6804 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
6805 properties:
6806 matchExpressions:
6807 type: array
6808 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6809 items:
6810 type: object
6811 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6812 properties:
6813 key:
6814 type: string
6815 description: key is the label key that the selector applies to.
6816 operator:
6817 type: string
6818 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
6819 values:
6820 type: array
6821 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
6822 items:
6823 type: string
6824 required:
6825 - key
6826 - operator
6827 matchLabels:
6828 type: object
6829 additionalProperties:
6830 type: string
6831 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
6832 namespaces:
6833 type: array
6834 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
6835 items:
6836 type: string
6837 topologyKey:
6838 type: string
6839 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
6840 required:
6841 - topologyKey
6842 weight:
6843 type: integer
6844 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
6845 format: int32
6846 required:
6847 - podAffinityTerm
6848 - weight
6849 requiredDuringSchedulingIgnoredDuringExecution:
6850 type: array
6851 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
6852 items:
6853 type: object
6854 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
6855 properties:
6856 labelSelector:
6857 type: object
6858 description: A label query over a set of resources, in this case pods.
6859 properties:
6860 matchExpressions:
6861 type: array
6862 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6863 items:
6864 type: object
6865 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6866 properties:
6867 key:
6868 type: string
6869 description: key is the label key that the selector applies to.
6870 operator:
6871 type: string
6872 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
6873 values:
6874 type: array
6875 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
6876 items:
6877 type: string
6878 required:
6879 - key
6880 - operator
6881 matchLabels:
6882 type: object
6883 additionalProperties:
6884 type: string
6885 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
6886 namespaceSelector:
6887 type: object
6888 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
6889 properties:
6890 matchExpressions:
6891 type: array
6892 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6893 items:
6894 type: object
6895 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6896 properties:
6897 key:
6898 type: string
6899 description: key is the label key that the selector applies to.
6900 operator:
6901 type: string
6902 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
6903 values:
6904 type: array
6905 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
6906 items:
6907 type: string
6908 required:
6909 - key
6910 - operator
6911 matchLabels:
6912 type: object
6913 additionalProperties:
6914 type: string
6915 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
6916 namespaces:
6917 type: array
6918 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
6919 items:
6920 type: string
6921 topologyKey:
6922 type: string
6923 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
6924 required:
6925 - topologyKey
6926 tolerations:
6927 type: array
6928 description: If specified, the pod's tolerations.
6929 items:
6930 type: object
6931 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
6932 properties:
6933 value:
6934 type: string
6935 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
6936 effect:
6937 type: string
6938 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
6939 key:
6940 type: string
6941 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
6942 operator:
6943 type: string
6944 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
6945 tolerationSeconds:
6946 type: integer
6947 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
6948 format: int64
6949 serviceType:
6950 type: string
6951 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
6952 required:
6953 - privateKeySecretRef
6954 - server
6955 ca:
6956 type: object
6957 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
6958 properties:
6959 crlDistributionPoints:
6960 type: array
6961 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
6962 items:
6963 type: string
6964 ocspServers:
6965 type: array
6966 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
6967 items:
6968 type: string
6969 secretName:
6970 type: string
6971 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
6972 required:
6973 - secretName
6974 selfSigned:
6975 type: object
6976 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
6977 properties:
6978 crlDistributionPoints:
6979 type: array
6980 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
6981 items:
6982 type: string
6983 vault:
6984 type: object
6985 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
6986 properties:
6987 namespace:
6988 type: string
6989 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
6990 auth:
6991 type: object
6992 description: Auth configures how cert-manager authenticates with the Vault server.
6993 properties:
6994 appRole:
6995 type: object
6996 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
6997 properties:
6998 secretRef:
6999 type: object
7000 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
7001 properties:
7002 name:
7003 type: string
7004 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7005 key:
7006 type: string
7007 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7008 required:
7009 - name
7010 path:
7011 type: string
7012 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
7013 roleId:
7014 type: string
7015 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
7016 required:
7017 - path
7018 - roleId
7019 - secretRef
7020 kubernetes:
7021 type: object
7022 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
7023 properties:
7024 mountPath:
7025 type: string
7026 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
7027 secretRef:
7028 type: object
7029 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
7030 properties:
7031 name:
7032 type: string
7033 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7034 key:
7035 type: string
7036 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7037 required:
7038 - name
7039 role:
7040 type: string
7041 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
7042 required:
7043 - role
7044 - secretRef
7045 tokenSecretRef:
7046 type: object
7047 description: TokenSecretRef authenticates with Vault by presenting a token.
7048 properties:
7049 name:
7050 type: string
7051 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7052 key:
7053 type: string
7054 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7055 required:
7056 - name
7057 caBundle:
7058 type: string
7059 description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
7060 format: byte
7061 path:
7062 type: string
7063 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
7064 server:
7065 type: string
7066 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
7067 required:
7068 - auth
7069 - path
7070 - server
7071 venafi:
7072 type: object
7073 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
7074 properties:
7075 cloud:
7076 type: object
7077 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
7078 properties:
7079 apiTokenSecretRef:
7080 type: object
7081 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
7082 properties:
7083 name:
7084 type: string
7085 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7086 key:
7087 type: string
7088 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7089 required:
7090 - name
7091 url:
7092 type: string
7093 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
7094 required:
7095 - apiTokenSecretRef
7096 tpp:
7097 type: object
7098 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
7099 properties:
7100 caBundle:
7101 type: string
7102 description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
7103 format: byte
7104 credentialsRef:
7105 type: object
7106 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
7107 properties:
7108 name:
7109 type: string
7110 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7111 required:
7112 - name
7113 url:
7114 type: string
7115 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
7116 required:
7117 - credentialsRef
7118 - url
7119 zone:
7120 type: string
7121 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
7122 required:
7123 - zone
7124 status:
7125 type: object
7126 description: Status of the ClusterIssuer. This is set and managed automatically.
7127 properties:
7128 acme:
7129 type: object
7130 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
7131 properties:
7132 lastRegisteredEmail:
7133 type: string
7134 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
7135 uri:
7136 type: string
7137 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
7138 conditions:
7139 type: array
7140 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
7141 items:
7142 type: object
7143 description: IssuerCondition contains condition information for an Issuer.
7144 properties:
7145 type:
7146 type: string
7147 description: Type of the condition, known values are (`Ready`).
7148 status:
7149 type: string
7150 description: Status of the condition, one of (`True`, `False`, `Unknown`).
7151 enum:
7152 - "True"
7153 - "False"
7154 - Unknown
7155 lastTransitionTime:
7156 type: string
7157 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
7158 format: date-time
7159 message:
7160 type: string
7161 description: Message is a human readable description of the details of the last transition, complementing reason.
7162 observedGeneration:
7163 type: integer
7164 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
7165 format: int64
7166 reason:
7167 type: string
7168 description: Reason is a brief machine readable explanation for the condition's last transition.
7169 required:
7170 - status
7171 - type
7172 required:
7173 - spec
7174 served: true
7175 storage: true
7176 subresources:
7177 status: {}
7178 - name: v1alpha2
7179 additionalPrinterColumns:
7180 - name: Ready
7181 type: string
7182 jsonPath: .status.conditions[?(@.type=="Ready")].status
7183 - name: Status
7184 type: string
7185 priority: 1
7186 jsonPath: .status.conditions[?(@.type=="Ready")].message
7187 - name: Age
7188 type: date
7189 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
7190 jsonPath: .metadata.creationTimestamp
7191 schema:
7192 openAPIV3Schema:
7193 type: object
7194 description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent.
7195 properties:
7196 apiVersion:
7197 type: string
7198 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
7199 kind:
7200 type: string
7201 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
7202 metadata:
7203 type: object
7204 spec:
7205 type: object
7206 description: Desired state of the ClusterIssuer resource.
7207 properties:
7208 acme:
7209 type: object
7210 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
7211 properties:
7212 disableAccountKeyGeneration:
7213 type: boolean
7214 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
7215 email:
7216 type: string
7217 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
7218 enableDurationFeature:
7219 type: boolean
7220 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
7221 externalAccountBinding:
7222 type: object
7223 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
7224 properties:
7225 keyAlgorithm:
7226 type: string
7227 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
7228 enum:
7229 - HS256
7230 - HS384
7231 - HS512
7232 keyID:
7233 type: string
7234 description: keyID is the ID of the CA key that the External Account is bound to.
7235 keySecretRef:
7236 type: object
7237 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
7238 properties:
7239 name:
7240 type: string
7241 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7242 key:
7243 type: string
7244 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7245 required:
7246 - name
7247 required:
7248 - keyID
7249 - keySecretRef
7250 preferredChain:
7251 type: string
7252 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
7253 maxLength: 64
7254 privateKeySecretRef:
7255 type: object
7256 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
7257 properties:
7258 name:
7259 type: string
7260 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7261 key:
7262 type: string
7263 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7264 required:
7265 - name
7266 server:
7267 type: string
7268 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
7269 skipTLSVerify:
7270 type: boolean
7271 description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
7272 solvers:
7273 type: array
7274 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
7275 items:
7276 type: object
7277 description: Configures an issuer to solve challenges using the specified options. Only one of HTTP01 or DNS01 may be provided.
7278 properties:
7279 selector:
7280 type: object
7281 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
7282 properties:
7283 dnsNames:
7284 type: array
7285 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
7286 items:
7287 type: string
7288 dnsZones:
7289 type: array
7290 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
7291 items:
7292 type: string
7293 matchLabels:
7294 type: object
7295 additionalProperties:
7296 type: string
7297 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
7298 dns01:
7299 type: object
7300 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
7301 properties:
7302 acmedns:
7303 type: object
7304 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
7305 properties:
7306 accountSecretRef:
7307 type: object
7308 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
7309 properties:
7310 name:
7311 type: string
7312 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7313 key:
7314 type: string
7315 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7316 required:
7317 - name
7318 host:
7319 type: string
7320 required:
7321 - accountSecretRef
7322 - host
7323 akamai:
7324 type: object
7325 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
7326 properties:
7327 accessTokenSecretRef:
7328 type: object
7329 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
7330 properties:
7331 name:
7332 type: string
7333 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7334 key:
7335 type: string
7336 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7337 required:
7338 - name
7339 clientSecretSecretRef:
7340 type: object
7341 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
7342 properties:
7343 name:
7344 type: string
7345 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7346 key:
7347 type: string
7348 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7349 required:
7350 - name
7351 clientTokenSecretRef:
7352 type: object
7353 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
7354 properties:
7355 name:
7356 type: string
7357 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7358 key:
7359 type: string
7360 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7361 required:
7362 - name
7363 serviceConsumerDomain:
7364 type: string
7365 required:
7366 - accessTokenSecretRef
7367 - clientSecretSecretRef
7368 - clientTokenSecretRef
7369 - serviceConsumerDomain
7370 azuredns:
7371 type: object
7372 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
7373 properties:
7374 clientID:
7375 type: string
7376 description: if both this and ClientSecret are left unset MSI will be used
7377 clientSecretSecretRef:
7378 type: object
7379 description: if both this and ClientID are left unset MSI will be used
7380 properties:
7381 name:
7382 type: string
7383 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7384 key:
7385 type: string
7386 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7387 required:
7388 - name
7389 environment:
7390 type: string
7391 enum:
7392 - AzurePublicCloud
7393 - AzureChinaCloud
7394 - AzureGermanCloud
7395 - AzureUSGovernmentCloud
7396 hostedZoneName:
7397 type: string
7398 resourceGroupName:
7399 type: string
7400 subscriptionID:
7401 type: string
7402 tenantID:
7403 type: string
7404 description: when specifying ClientID and ClientSecret then this field is also needed
7405 required:
7406 - resourceGroupName
7407 - subscriptionID
7408 clouddns:
7409 type: object
7410 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
7411 properties:
7412 hostedZoneName:
7413 type: string
7414 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
7415 project:
7416 type: string
7417 serviceAccountSecretRef:
7418 type: object
7419 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
7420 properties:
7421 name:
7422 type: string
7423 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7424 key:
7425 type: string
7426 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7427 required:
7428 - name
7429 required:
7430 - project
7431 cloudflare:
7432 type: object
7433 description: Use the Cloudflare API to manage DNS01 challenge records.
7434 properties:
7435 apiKeySecretRef:
7436 type: object
7437 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
7438 properties:
7439 name:
7440 type: string
7441 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7442 key:
7443 type: string
7444 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7445 required:
7446 - name
7447 apiTokenSecretRef:
7448 type: object
7449 description: API token used to authenticate with Cloudflare.
7450 properties:
7451 name:
7452 type: string
7453 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7454 key:
7455 type: string
7456 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7457 required:
7458 - name
7459 email:
7460 type: string
7461 description: Email of the account, only required when using API key based authentication.
7462 cnameStrategy:
7463 type: string
7464 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
7465 enum:
7466 - None
7467 - Follow
7468 digitalocean:
7469 type: object
7470 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
7471 properties:
7472 tokenSecretRef:
7473 type: object
7474 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
7475 properties:
7476 name:
7477 type: string
7478 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7479 key:
7480 type: string
7481 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7482 required:
7483 - name
7484 required:
7485 - tokenSecretRef
7486 rfc2136:
7487 type: object
7488 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
7489 properties:
7490 nameserver:
7491 type: string
7492 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
7493 tsigAlgorithm:
7494 type: string
7495 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
7496 tsigKeyName:
7497 type: string
7498 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
7499 tsigSecretSecretRef:
7500 type: object
7501 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
7502 properties:
7503 name:
7504 type: string
7505 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7506 key:
7507 type: string
7508 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7509 required:
7510 - name
7511 required:
7512 - nameserver
7513 route53:
7514 type: object
7515 description: Use the AWS Route53 API to manage DNS01 challenge records.
7516 properties:
7517 accessKeyID:
7518 type: string
7519 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
7520 hostedZoneID:
7521 type: string
7522 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
7523 region:
7524 type: string
7525 description: Always set the region when using AccessKeyID and SecretAccessKey
7526 role:
7527 type: string
7528 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
7529 secretAccessKeySecretRef:
7530 type: object
7531 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
7532 properties:
7533 name:
7534 type: string
7535 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7536 key:
7537 type: string
7538 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7539 required:
7540 - name
7541 required:
7542 - region
7543 webhook:
7544 type: object
7545 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
7546 properties:
7547 config:
7548 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
7549 x-kubernetes-preserve-unknown-fields: true
7550 groupName:
7551 type: string
7552 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
7553 solverName:
7554 type: string
7555 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
7556 required:
7557 - groupName
7558 - solverName
7559 http01:
7560 type: object
7561 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
7562 properties:
7563 gatewayHTTPRoute:
7564 type: object
7565 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
7566 properties:
7567 labels:
7568 type: object
7569 additionalProperties:
7570 type: string
7571 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
7572 serviceType:
7573 type: string
7574 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
7575 ingress:
7576 type: object
7577 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
7578 properties:
7579 name:
7580 type: string
7581 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
7582 class:
7583 type: string
7584 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
7585 ingressTemplate:
7586 type: object
7587 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges
7588 properties:
7589 metadata:
7590 type: object
7591 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
7592 properties:
7593 labels:
7594 type: object
7595 additionalProperties:
7596 type: string
7597 description: Labels that should be added to the created ACME HTTP01 solver ingress.
7598 annotations:
7599 type: object
7600 additionalProperties:
7601 type: string
7602 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
7603 podTemplate:
7604 type: object
7605 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
7606 properties:
7607 metadata:
7608 type: object
7609 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
7610 properties:
7611 labels:
7612 type: object
7613 additionalProperties:
7614 type: string
7615 description: Labels that should be added to the created ACME HTTP01 solver pods.
7616 annotations:
7617 type: object
7618 additionalProperties:
7619 type: string
7620 description: Annotations that should be added to the create ACME HTTP01 solver pods.
7621 spec:
7622 type: object
7623 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
7624 properties:
7625 serviceAccountName:
7626 type: string
7627 description: If specified, the pod's service account
7628 priorityClassName:
7629 type: string
7630 description: If specified, the pod's priorityClassName.
7631 nodeSelector:
7632 type: object
7633 additionalProperties:
7634 type: string
7635 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
7636 affinity:
7637 type: object
7638 description: If specified, the pod's scheduling constraints
7639 properties:
7640 nodeAffinity:
7641 type: object
7642 description: Describes node affinity scheduling rules for the pod.
7643 properties:
7644 preferredDuringSchedulingIgnoredDuringExecution:
7645 type: array
7646 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
7647 items:
7648 type: object
7649 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
7650 properties:
7651 preference:
7652 type: object
7653 description: A node selector term, associated with the corresponding weight.
7654 properties:
7655 matchExpressions:
7656 type: array
7657 description: A list of node selector requirements by node's labels.
7658 items:
7659 type: object
7660 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7661 properties:
7662 key:
7663 type: string
7664 description: The label key that the selector applies to.
7665 operator:
7666 type: string
7667 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
7668 values:
7669 type: array
7670 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
7671 items:
7672 type: string
7673 required:
7674 - key
7675 - operator
7676 matchFields:
7677 type: array
7678 description: A list of node selector requirements by node's fields.
7679 items:
7680 type: object
7681 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7682 properties:
7683 key:
7684 type: string
7685 description: The label key that the selector applies to.
7686 operator:
7687 type: string
7688 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
7689 values:
7690 type: array
7691 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
7692 items:
7693 type: string
7694 required:
7695 - key
7696 - operator
7697 weight:
7698 type: integer
7699 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
7700 format: int32
7701 required:
7702 - preference
7703 - weight
7704 requiredDuringSchedulingIgnoredDuringExecution:
7705 type: object
7706 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
7707 properties:
7708 nodeSelectorTerms:
7709 type: array
7710 description: Required. A list of node selector terms. The terms are ORed.
7711 items:
7712 type: object
7713 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
7714 properties:
7715 matchExpressions:
7716 type: array
7717 description: A list of node selector requirements by node's labels.
7718 items:
7719 type: object
7720 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7721 properties:
7722 key:
7723 type: string
7724 description: The label key that the selector applies to.
7725 operator:
7726 type: string
7727 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
7728 values:
7729 type: array
7730 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
7731 items:
7732 type: string
7733 required:
7734 - key
7735 - operator
7736 matchFields:
7737 type: array
7738 description: A list of node selector requirements by node's fields.
7739 items:
7740 type: object
7741 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7742 properties:
7743 key:
7744 type: string
7745 description: The label key that the selector applies to.
7746 operator:
7747 type: string
7748 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
7749 values:
7750 type: array
7751 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
7752 items:
7753 type: string
7754 required:
7755 - key
7756 - operator
7757 required:
7758 - nodeSelectorTerms
7759 podAffinity:
7760 type: object
7761 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
7762 properties:
7763 preferredDuringSchedulingIgnoredDuringExecution:
7764 type: array
7765 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
7766 items:
7767 type: object
7768 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
7769 properties:
7770 podAffinityTerm:
7771 type: object
7772 description: Required. A pod affinity term, associated with the corresponding weight.
7773 properties:
7774 labelSelector:
7775 type: object
7776 description: A label query over a set of resources, in this case pods.
7777 properties:
7778 matchExpressions:
7779 type: array
7780 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
7781 items:
7782 type: object
7783 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7784 properties:
7785 key:
7786 type: string
7787 description: key is the label key that the selector applies to.
7788 operator:
7789 type: string
7790 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
7791 values:
7792 type: array
7793 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
7794 items:
7795 type: string
7796 required:
7797 - key
7798 - operator
7799 matchLabels:
7800 type: object
7801 additionalProperties:
7802 type: string
7803 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
7804 namespaceSelector:
7805 type: object
7806 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
7807 properties:
7808 matchExpressions:
7809 type: array
7810 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
7811 items:
7812 type: object
7813 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7814 properties:
7815 key:
7816 type: string
7817 description: key is the label key that the selector applies to.
7818 operator:
7819 type: string
7820 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
7821 values:
7822 type: array
7823 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
7824 items:
7825 type: string
7826 required:
7827 - key
7828 - operator
7829 matchLabels:
7830 type: object
7831 additionalProperties:
7832 type: string
7833 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
7834 namespaces:
7835 type: array
7836 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
7837 items:
7838 type: string
7839 topologyKey:
7840 type: string
7841 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
7842 required:
7843 - topologyKey
7844 weight:
7845 type: integer
7846 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
7847 format: int32
7848 required:
7849 - podAffinityTerm
7850 - weight
7851 requiredDuringSchedulingIgnoredDuringExecution:
7852 type: array
7853 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
7854 items:
7855 type: object
7856 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
7857 properties:
7858 labelSelector:
7859 type: object
7860 description: A label query over a set of resources, in this case pods.
7861 properties:
7862 matchExpressions:
7863 type: array
7864 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
7865 items:
7866 type: object
7867 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7868 properties:
7869 key:
7870 type: string
7871 description: key is the label key that the selector applies to.
7872 operator:
7873 type: string
7874 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
7875 values:
7876 type: array
7877 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
7878 items:
7879 type: string
7880 required:
7881 - key
7882 - operator
7883 matchLabels:
7884 type: object
7885 additionalProperties:
7886 type: string
7887 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
7888 namespaceSelector:
7889 type: object
7890 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
7891 properties:
7892 matchExpressions:
7893 type: array
7894 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
7895 items:
7896 type: object
7897 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7898 properties:
7899 key:
7900 type: string
7901 description: key is the label key that the selector applies to.
7902 operator:
7903 type: string
7904 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
7905 values:
7906 type: array
7907 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
7908 items:
7909 type: string
7910 required:
7911 - key
7912 - operator
7913 matchLabels:
7914 type: object
7915 additionalProperties:
7916 type: string
7917 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
7918 namespaces:
7919 type: array
7920 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
7921 items:
7922 type: string
7923 topologyKey:
7924 type: string
7925 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
7926 required:
7927 - topologyKey
7928 podAntiAffinity:
7929 type: object
7930 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
7931 properties:
7932 preferredDuringSchedulingIgnoredDuringExecution:
7933 type: array
7934 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
7935 items:
7936 type: object
7937 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
7938 properties:
7939 podAffinityTerm:
7940 type: object
7941 description: Required. A pod affinity term, associated with the corresponding weight.
7942 properties:
7943 labelSelector:
7944 type: object
7945 description: A label query over a set of resources, in this case pods.
7946 properties:
7947 matchExpressions:
7948 type: array
7949 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
7950 items:
7951 type: object
7952 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7953 properties:
7954 key:
7955 type: string
7956 description: key is the label key that the selector applies to.
7957 operator:
7958 type: string
7959 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
7960 values:
7961 type: array
7962 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
7963 items:
7964 type: string
7965 required:
7966 - key
7967 - operator
7968 matchLabels:
7969 type: object
7970 additionalProperties:
7971 type: string
7972 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
7973 namespaceSelector:
7974 type: object
7975 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
7976 properties:
7977 matchExpressions:
7978 type: array
7979 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
7980 items:
7981 type: object
7982 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7983 properties:
7984 key:
7985 type: string
7986 description: key is the label key that the selector applies to.
7987 operator:
7988 type: string
7989 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
7990 values:
7991 type: array
7992 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
7993 items:
7994 type: string
7995 required:
7996 - key
7997 - operator
7998 matchLabels:
7999 type: object
8000 additionalProperties:
8001 type: string
8002 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
8003 namespaces:
8004 type: array
8005 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
8006 items:
8007 type: string
8008 topologyKey:
8009 type: string
8010 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
8011 required:
8012 - topologyKey
8013 weight:
8014 type: integer
8015 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
8016 format: int32
8017 required:
8018 - podAffinityTerm
8019 - weight
8020 requiredDuringSchedulingIgnoredDuringExecution:
8021 type: array
8022 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
8023 items:
8024 type: object
8025 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
8026 properties:
8027 labelSelector:
8028 type: object
8029 description: A label query over a set of resources, in this case pods.
8030 properties:
8031 matchExpressions:
8032 type: array
8033 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
8034 items:
8035 type: object
8036 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
8037 properties:
8038 key:
8039 type: string
8040 description: key is the label key that the selector applies to.
8041 operator:
8042 type: string
8043 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
8044 values:
8045 type: array
8046 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
8047 items:
8048 type: string
8049 required:
8050 - key
8051 - operator
8052 matchLabels:
8053 type: object
8054 additionalProperties:
8055 type: string
8056 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
8057 namespaceSelector:
8058 type: object
8059 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
8060 properties:
8061 matchExpressions:
8062 type: array
8063 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
8064 items:
8065 type: object
8066 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
8067 properties:
8068 key:
8069 type: string
8070 description: key is the label key that the selector applies to.
8071 operator:
8072 type: string
8073 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
8074 values:
8075 type: array
8076 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
8077 items:
8078 type: string
8079 required:
8080 - key
8081 - operator
8082 matchLabels:
8083 type: object
8084 additionalProperties:
8085 type: string
8086 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
8087 namespaces:
8088 type: array
8089 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
8090 items:
8091 type: string
8092 topologyKey:
8093 type: string
8094 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
8095 required:
8096 - topologyKey
8097 tolerations:
8098 type: array
8099 description: If specified, the pod's tolerations.
8100 items:
8101 type: object
8102 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
8103 properties:
8104 value:
8105 type: string
8106 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
8107 effect:
8108 type: string
8109 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
8110 key:
8111 type: string
8112 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
8113 operator:
8114 type: string
8115 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
8116 tolerationSeconds:
8117 type: integer
8118 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
8119 format: int64
8120 serviceType:
8121 type: string
8122 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
8123 required:
8124 - privateKeySecretRef
8125 - server
8126 ca:
8127 type: object
8128 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
8129 properties:
8130 crlDistributionPoints:
8131 type: array
8132 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
8133 items:
8134 type: string
8135 ocspServers:
8136 type: array
8137 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
8138 items:
8139 type: string
8140 secretName:
8141 type: string
8142 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
8143 required:
8144 - secretName
8145 selfSigned:
8146 type: object
8147 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
8148 properties:
8149 crlDistributionPoints:
8150 type: array
8151 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
8152 items:
8153 type: string
8154 vault:
8155 type: object
8156 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
8157 properties:
8158 namespace:
8159 type: string
8160 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
8161 auth:
8162 type: object
8163 description: Auth configures how cert-manager authenticates with the Vault server.
8164 properties:
8165 appRole:
8166 type: object
8167 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
8168 properties:
8169 secretRef:
8170 type: object
8171 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
8172 properties:
8173 name:
8174 type: string
8175 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8176 key:
8177 type: string
8178 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8179 required:
8180 - name
8181 path:
8182 type: string
8183 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
8184 roleId:
8185 type: string
8186 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
8187 required:
8188 - path
8189 - roleId
8190 - secretRef
8191 kubernetes:
8192 type: object
8193 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
8194 properties:
8195 mountPath:
8196 type: string
8197 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
8198 secretRef:
8199 type: object
8200 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
8201 properties:
8202 name:
8203 type: string
8204 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8205 key:
8206 type: string
8207 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8208 required:
8209 - name
8210 role:
8211 type: string
8212 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
8213 required:
8214 - role
8215 - secretRef
8216 tokenSecretRef:
8217 type: object
8218 description: TokenSecretRef authenticates with Vault by presenting a token.
8219 properties:
8220 name:
8221 type: string
8222 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8223 key:
8224 type: string
8225 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8226 required:
8227 - name
8228 caBundle:
8229 type: string
8230 description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
8231 format: byte
8232 path:
8233 type: string
8234 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
8235 server:
8236 type: string
8237 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
8238 required:
8239 - auth
8240 - path
8241 - server
8242 venafi:
8243 type: object
8244 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
8245 properties:
8246 cloud:
8247 type: object
8248 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
8249 properties:
8250 apiTokenSecretRef:
8251 type: object
8252 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
8253 properties:
8254 name:
8255 type: string
8256 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8257 key:
8258 type: string
8259 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8260 required:
8261 - name
8262 url:
8263 type: string
8264 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
8265 required:
8266 - apiTokenSecretRef
8267 tpp:
8268 type: object
8269 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
8270 properties:
8271 caBundle:
8272 type: string
8273 description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
8274 format: byte
8275 credentialsRef:
8276 type: object
8277 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
8278 properties:
8279 name:
8280 type: string
8281 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8282 required:
8283 - name
8284 url:
8285 type: string
8286 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
8287 required:
8288 - credentialsRef
8289 - url
8290 zone:
8291 type: string
8292 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
8293 required:
8294 - zone
8295 status:
8296 type: object
8297 description: Status of the ClusterIssuer. This is set and managed automatically.
8298 properties:
8299 acme:
8300 type: object
8301 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
8302 properties:
8303 lastRegisteredEmail:
8304 type: string
8305 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
8306 uri:
8307 type: string
8308 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
8309 conditions:
8310 type: array
8311 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
8312 items:
8313 type: object
8314 description: IssuerCondition contains condition information for an Issuer.
8315 properties:
8316 type:
8317 type: string
8318 description: Type of the condition, known values are (`Ready`).
8319 status:
8320 type: string
8321 description: Status of the condition, one of (`True`, `False`, `Unknown`).
8322 enum:
8323 - "True"
8324 - "False"
8325 - Unknown
8326 lastTransitionTime:
8327 type: string
8328 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
8329 format: date-time
8330 message:
8331 type: string
8332 description: Message is a human readable description of the details of the last transition, complementing reason.
8333 observedGeneration:
8334 type: integer
8335 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
8336 format: int64
8337 reason:
8338 type: string
8339 description: Reason is a brief machine readable explanation for the condition's last transition.
8340 required:
8341 - status
8342 - type
8343 served: true
8344 storage: false
8345 subresources:
8346 status: {}
8347 - name: v1alpha3
8348 additionalPrinterColumns:
8349 - name: Ready
8350 type: string
8351 jsonPath: .status.conditions[?(@.type=="Ready")].status
8352 - name: Status
8353 type: string
8354 priority: 1
8355 jsonPath: .status.conditions[?(@.type=="Ready")].message
8356 - name: Age
8357 type: date
8358 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
8359 jsonPath: .metadata.creationTimestamp
8360 schema:
8361 openAPIV3Schema:
8362 type: object
8363 description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent.
8364 properties:
8365 apiVersion:
8366 type: string
8367 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
8368 kind:
8369 type: string
8370 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
8371 metadata:
8372 type: object
8373 spec:
8374 type: object
8375 description: Desired state of the ClusterIssuer resource.
8376 properties:
8377 acme:
8378 type: object
8379 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
8380 properties:
8381 disableAccountKeyGeneration:
8382 type: boolean
8383 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
8384 email:
8385 type: string
8386 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
8387 enableDurationFeature:
8388 type: boolean
8389 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
8390 externalAccountBinding:
8391 type: object
8392 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
8393 properties:
8394 keyAlgorithm:
8395 type: string
8396 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
8397 enum:
8398 - HS256
8399 - HS384
8400 - HS512
8401 keyID:
8402 type: string
8403 description: keyID is the ID of the CA key that the External Account is bound to.
8404 keySecretRef:
8405 type: object
8406 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
8407 properties:
8408 name:
8409 type: string
8410 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8411 key:
8412 type: string
8413 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8414 required:
8415 - name
8416 required:
8417 - keyID
8418 - keySecretRef
8419 preferredChain:
8420 type: string
8421 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
8422 maxLength: 64
8423 privateKeySecretRef:
8424 type: object
8425 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
8426 properties:
8427 name:
8428 type: string
8429 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8430 key:
8431 type: string
8432 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8433 required:
8434 - name
8435 server:
8436 type: string
8437 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
8438 skipTLSVerify:
8439 type: boolean
8440 description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
8441 solvers:
8442 type: array
8443 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
8444 items:
8445 type: object
8446 description: Configures an issuer to solve challenges using the specified options. Only one of HTTP01 or DNS01 may be provided.
8447 properties:
8448 selector:
8449 type: object
8450 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
8451 properties:
8452 dnsNames:
8453 type: array
8454 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
8455 items:
8456 type: string
8457 dnsZones:
8458 type: array
8459 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
8460 items:
8461 type: string
8462 matchLabels:
8463 type: object
8464 additionalProperties:
8465 type: string
8466 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
8467 dns01:
8468 type: object
8469 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
8470 properties:
8471 acmedns:
8472 type: object
8473 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
8474 properties:
8475 accountSecretRef:
8476 type: object
8477 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
8478 properties:
8479 name:
8480 type: string
8481 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8482 key:
8483 type: string
8484 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8485 required:
8486 - name
8487 host:
8488 type: string
8489 required:
8490 - accountSecretRef
8491 - host
8492 akamai:
8493 type: object
8494 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
8495 properties:
8496 accessTokenSecretRef:
8497 type: object
8498 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
8499 properties:
8500 name:
8501 type: string
8502 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8503 key:
8504 type: string
8505 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8506 required:
8507 - name
8508 clientSecretSecretRef:
8509 type: object
8510 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
8511 properties:
8512 name:
8513 type: string
8514 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8515 key:
8516 type: string
8517 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8518 required:
8519 - name
8520 clientTokenSecretRef:
8521 type: object
8522 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
8523 properties:
8524 name:
8525 type: string
8526 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8527 key:
8528 type: string
8529 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8530 required:
8531 - name
8532 serviceConsumerDomain:
8533 type: string
8534 required:
8535 - accessTokenSecretRef
8536 - clientSecretSecretRef
8537 - clientTokenSecretRef
8538 - serviceConsumerDomain
8539 azuredns:
8540 type: object
8541 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
8542 properties:
8543 clientID:
8544 type: string
8545 description: if both this and ClientSecret are left unset MSI will be used
8546 clientSecretSecretRef:
8547 type: object
8548 description: if both this and ClientID are left unset MSI will be used
8549 properties:
8550 name:
8551 type: string
8552 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8553 key:
8554 type: string
8555 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8556 required:
8557 - name
8558 environment:
8559 type: string
8560 enum:
8561 - AzurePublicCloud
8562 - AzureChinaCloud
8563 - AzureGermanCloud
8564 - AzureUSGovernmentCloud
8565 hostedZoneName:
8566 type: string
8567 resourceGroupName:
8568 type: string
8569 subscriptionID:
8570 type: string
8571 tenantID:
8572 type: string
8573 description: when specifying ClientID and ClientSecret then this field is also needed
8574 required:
8575 - resourceGroupName
8576 - subscriptionID
8577 clouddns:
8578 type: object
8579 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
8580 properties:
8581 hostedZoneName:
8582 type: string
8583 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
8584 project:
8585 type: string
8586 serviceAccountSecretRef:
8587 type: object
8588 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
8589 properties:
8590 name:
8591 type: string
8592 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8593 key:
8594 type: string
8595 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8596 required:
8597 - name
8598 required:
8599 - project
8600 cloudflare:
8601 type: object
8602 description: Use the Cloudflare API to manage DNS01 challenge records.
8603 properties:
8604 apiKeySecretRef:
8605 type: object
8606 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
8607 properties:
8608 name:
8609 type: string
8610 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8611 key:
8612 type: string
8613 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8614 required:
8615 - name
8616 apiTokenSecretRef:
8617 type: object
8618 description: API token used to authenticate with Cloudflare.
8619 properties:
8620 name:
8621 type: string
8622 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8623 key:
8624 type: string
8625 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8626 required:
8627 - name
8628 email:
8629 type: string
8630 description: Email of the account, only required when using API key based authentication.
8631 cnameStrategy:
8632 type: string
8633 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
8634 enum:
8635 - None
8636 - Follow
8637 digitalocean:
8638 type: object
8639 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
8640 properties:
8641 tokenSecretRef:
8642 type: object
8643 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
8644 properties:
8645 name:
8646 type: string
8647 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8648 key:
8649 type: string
8650 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8651 required:
8652 - name
8653 required:
8654 - tokenSecretRef
8655 rfc2136:
8656 type: object
8657 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
8658 properties:
8659 nameserver:
8660 type: string
8661 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
8662 tsigAlgorithm:
8663 type: string
8664 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
8665 tsigKeyName:
8666 type: string
8667 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
8668 tsigSecretSecretRef:
8669 type: object
8670 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
8671 properties:
8672 name:
8673 type: string
8674 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8675 key:
8676 type: string
8677 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8678 required:
8679 - name
8680 required:
8681 - nameserver
8682 route53:
8683 type: object
8684 description: Use the AWS Route53 API to manage DNS01 challenge records.
8685 properties:
8686 accessKeyID:
8687 type: string
8688 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
8689 hostedZoneID:
8690 type: string
8691 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
8692 region:
8693 type: string
8694 description: Always set the region when using AccessKeyID and SecretAccessKey
8695 role:
8696 type: string
8697 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
8698 secretAccessKeySecretRef:
8699 type: object
8700 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
8701 properties:
8702 name:
8703 type: string
8704 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8705 key:
8706 type: string
8707 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8708 required:
8709 - name
8710 required:
8711 - region
8712 webhook:
8713 type: object
8714 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
8715 properties:
8716 config:
8717 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
8718 x-kubernetes-preserve-unknown-fields: true
8719 groupName:
8720 type: string
8721 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
8722 solverName:
8723 type: string
8724 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
8725 required:
8726 - groupName
8727 - solverName
8728 http01:
8729 type: object
8730 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
8731 properties:
8732 gatewayHTTPRoute:
8733 type: object
8734 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
8735 properties:
8736 labels:
8737 type: object
8738 additionalProperties:
8739 type: string
8740 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
8741 serviceType:
8742 type: string
8743 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
8744 ingress:
8745 type: object
8746 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
8747 properties:
8748 name:
8749 type: string
8750 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
8751 class:
8752 type: string
8753 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
8754 ingressTemplate:
8755 type: object
8756 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges
8757 properties:
8758 metadata:
8759 type: object
8760 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
8761 properties:
8762 labels:
8763 type: object
8764 additionalProperties:
8765 type: string
8766 description: Labels that should be added to the created ACME HTTP01 solver ingress.
8767 annotations:
8768 type: object
8769 additionalProperties:
8770 type: string
8771 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
8772 podTemplate:
8773 type: object
8774 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
8775 properties:
8776 metadata:
8777 type: object
8778 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
8779 properties:
8780 labels:
8781 type: object
8782 additionalProperties:
8783 type: string
8784 description: Labels that should be added to the created ACME HTTP01 solver pods.
8785 annotations:
8786 type: object
8787 additionalProperties:
8788 type: string
8789 description: Annotations that should be added to the create ACME HTTP01 solver pods.
8790 spec:
8791 type: object
8792 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
8793 properties:
8794 serviceAccountName:
8795 type: string
8796 description: If specified, the pod's service account
8797 priorityClassName:
8798 type: string
8799 description: If specified, the pod's priorityClassName.
8800 nodeSelector:
8801 type: object
8802 additionalProperties:
8803 type: string
8804 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
8805 affinity:
8806 type: object
8807 description: If specified, the pod's scheduling constraints
8808 properties:
8809 nodeAffinity:
8810 type: object
8811 description: Describes node affinity scheduling rules for the pod.
8812 properties:
8813 preferredDuringSchedulingIgnoredDuringExecution:
8814 type: array
8815 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
8816 items:
8817 type: object
8818 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
8819 properties:
8820 preference:
8821 type: object
8822 description: A node selector term, associated with the corresponding weight.
8823 properties:
8824 matchExpressions:
8825 type: array
8826 description: A list of node selector requirements by node's labels.
8827 items:
8828 type: object
8829 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
8830 properties:
8831 key:
8832 type: string
8833 description: The label key that the selector applies to.
8834 operator:
8835 type: string
8836 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
8837 values:
8838 type: array
8839 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
8840 items:
8841 type: string
8842 required:
8843 - key
8844 - operator
8845 matchFields:
8846 type: array
8847 description: A list of node selector requirements by node's fields.
8848 items:
8849 type: object
8850 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
8851 properties:
8852 key:
8853 type: string
8854 description: The label key that the selector applies to.
8855 operator:
8856 type: string
8857 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
8858 values:
8859 type: array
8860 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
8861 items:
8862 type: string
8863 required:
8864 - key
8865 - operator
8866 weight:
8867 type: integer
8868 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
8869 format: int32
8870 required:
8871 - preference
8872 - weight
8873 requiredDuringSchedulingIgnoredDuringExecution:
8874 type: object
8875 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
8876 properties:
8877 nodeSelectorTerms:
8878 type: array
8879 description: Required. A list of node selector terms. The terms are ORed.
8880 items:
8881 type: object
8882 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
8883 properties:
8884 matchExpressions:
8885 type: array
8886 description: A list of node selector requirements by node's labels.
8887 items:
8888 type: object
8889 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
8890 properties:
8891 key:
8892 type: string
8893 description: The label key that the selector applies to.
8894 operator:
8895 type: string
8896 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
8897 values:
8898 type: array
8899 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
8900 items:
8901 type: string
8902 required:
8903 - key
8904 - operator
8905 matchFields:
8906 type: array
8907 description: A list of node selector requirements by node's fields.
8908 items:
8909 type: object
8910 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
8911 properties:
8912 key:
8913 type: string
8914 description: The label key that the selector applies to.
8915 operator:
8916 type: string
8917 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
8918 values:
8919 type: array
8920 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
8921 items:
8922 type: string
8923 required:
8924 - key
8925 - operator
8926 required:
8927 - nodeSelectorTerms
8928 podAffinity:
8929 type: object
8930 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
8931 properties:
8932 preferredDuringSchedulingIgnoredDuringExecution:
8933 type: array
8934 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
8935 items:
8936 type: object
8937 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
8938 properties:
8939 podAffinityTerm:
8940 type: object
8941 description: Required. A pod affinity term, associated with the corresponding weight.
8942 properties:
8943 labelSelector:
8944 type: object
8945 description: A label query over a set of resources, in this case pods.
8946 properties:
8947 matchExpressions:
8948 type: array
8949 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
8950 items:
8951 type: object
8952 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
8953 properties:
8954 key:
8955 type: string
8956 description: key is the label key that the selector applies to.
8957 operator:
8958 type: string
8959 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
8960 values:
8961 type: array
8962 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
8963 items:
8964 type: string
8965 required:
8966 - key
8967 - operator
8968 matchLabels:
8969 type: object
8970 additionalProperties:
8971 type: string
8972 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
8973 namespaceSelector:
8974 type: object
8975 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
8976 properties:
8977 matchExpressions:
8978 type: array
8979 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
8980 items:
8981 type: object
8982 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
8983 properties:
8984 key:
8985 type: string
8986 description: key is the label key that the selector applies to.
8987 operator:
8988 type: string
8989 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
8990 values:
8991 type: array
8992 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
8993 items:
8994 type: string
8995 required:
8996 - key
8997 - operator
8998 matchLabels:
8999 type: object
9000 additionalProperties:
9001 type: string
9002 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
9003 namespaces:
9004 type: array
9005 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
9006 items:
9007 type: string
9008 topologyKey:
9009 type: string
9010 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
9011 required:
9012 - topologyKey
9013 weight:
9014 type: integer
9015 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
9016 format: int32
9017 required:
9018 - podAffinityTerm
9019 - weight
9020 requiredDuringSchedulingIgnoredDuringExecution:
9021 type: array
9022 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
9023 items:
9024 type: object
9025 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
9026 properties:
9027 labelSelector:
9028 type: object
9029 description: A label query over a set of resources, in this case pods.
9030 properties:
9031 matchExpressions:
9032 type: array
9033 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
9034 items:
9035 type: object
9036 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
9037 properties:
9038 key:
9039 type: string
9040 description: key is the label key that the selector applies to.
9041 operator:
9042 type: string
9043 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
9044 values:
9045 type: array
9046 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
9047 items:
9048 type: string
9049 required:
9050 - key
9051 - operator
9052 matchLabels:
9053 type: object
9054 additionalProperties:
9055 type: string
9056 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
9057 namespaceSelector:
9058 type: object
9059 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
9060 properties:
9061 matchExpressions:
9062 type: array
9063 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
9064 items:
9065 type: object
9066 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
9067 properties:
9068 key:
9069 type: string
9070 description: key is the label key that the selector applies to.
9071 operator:
9072 type: string
9073 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
9074 values:
9075 type: array
9076 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
9077 items:
9078 type: string
9079 required:
9080 - key
9081 - operator
9082 matchLabels:
9083 type: object
9084 additionalProperties:
9085 type: string
9086 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
9087 namespaces:
9088 type: array
9089 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
9090 items:
9091 type: string
9092 topologyKey:
9093 type: string
9094 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
9095 required:
9096 - topologyKey
9097 podAntiAffinity:
9098 type: object
9099 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
9100 properties:
9101 preferredDuringSchedulingIgnoredDuringExecution:
9102 type: array
9103 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
9104 items:
9105 type: object
9106 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
9107 properties:
9108 podAffinityTerm:
9109 type: object
9110 description: Required. A pod affinity term, associated with the corresponding weight.
9111 properties:
9112 labelSelector:
9113 type: object
9114 description: A label query over a set of resources, in this case pods.
9115 properties:
9116 matchExpressions:
9117 type: array
9118 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
9119 items:
9120 type: object
9121 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
9122 properties:
9123 key:
9124 type: string
9125 description: key is the label key that the selector applies to.
9126 operator:
9127 type: string
9128 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
9129 values:
9130 type: array
9131 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
9132 items:
9133 type: string
9134 required:
9135 - key
9136 - operator
9137 matchLabels:
9138 type: object
9139 additionalProperties:
9140 type: string
9141 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
9142 namespaceSelector:
9143 type: object
9144 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
9145 properties:
9146 matchExpressions:
9147 type: array
9148 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
9149 items:
9150 type: object
9151 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
9152 properties:
9153 key:
9154 type: string
9155 description: key is the label key that the selector applies to.
9156 operator:
9157 type: string
9158 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
9159 values:
9160 type: array
9161 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
9162 items:
9163 type: string
9164 required:
9165 - key
9166 - operator
9167 matchLabels:
9168 type: object
9169 additionalProperties:
9170 type: string
9171 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
9172 namespaces:
9173 type: array
9174 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
9175 items:
9176 type: string
9177 topologyKey:
9178 type: string
9179 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
9180 required:
9181 - topologyKey
9182 weight:
9183 type: integer
9184 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
9185 format: int32
9186 required:
9187 - podAffinityTerm
9188 - weight
9189 requiredDuringSchedulingIgnoredDuringExecution:
9190 type: array
9191 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
9192 items:
9193 type: object
9194 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
9195 properties:
9196 labelSelector:
9197 type: object
9198 description: A label query over a set of resources, in this case pods.
9199 properties:
9200 matchExpressions:
9201 type: array
9202 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
9203 items:
9204 type: object
9205 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
9206 properties:
9207 key:
9208 type: string
9209 description: key is the label key that the selector applies to.
9210 operator:
9211 type: string
9212 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
9213 values:
9214 type: array
9215 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
9216 items:
9217 type: string
9218 required:
9219 - key
9220 - operator
9221 matchLabels:
9222 type: object
9223 additionalProperties:
9224 type: string
9225 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
9226 namespaceSelector:
9227 type: object
9228 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
9229 properties:
9230 matchExpressions:
9231 type: array
9232 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
9233 items:
9234 type: object
9235 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
9236 properties:
9237 key:
9238 type: string
9239 description: key is the label key that the selector applies to.
9240 operator:
9241 type: string
9242 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
9243 values:
9244 type: array
9245 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
9246 items:
9247 type: string
9248 required:
9249 - key
9250 - operator
9251 matchLabels:
9252 type: object
9253 additionalProperties:
9254 type: string
9255 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
9256 namespaces:
9257 type: array
9258 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
9259 items:
9260 type: string
9261 topologyKey:
9262 type: string
9263 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
9264 required:
9265 - topologyKey
9266 tolerations:
9267 type: array
9268 description: If specified, the pod's tolerations.
9269 items:
9270 type: object
9271 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
9272 properties:
9273 value:
9274 type: string
9275 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
9276 effect:
9277 type: string
9278 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
9279 key:
9280 type: string
9281 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
9282 operator:
9283 type: string
9284 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
9285 tolerationSeconds:
9286 type: integer
9287 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
9288 format: int64
9289 serviceType:
9290 type: string
9291 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
9292 required:
9293 - privateKeySecretRef
9294 - server
9295 ca:
9296 type: object
9297 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
9298 properties:
9299 crlDistributionPoints:
9300 type: array
9301 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
9302 items:
9303 type: string
9304 ocspServers:
9305 type: array
9306 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
9307 items:
9308 type: string
9309 secretName:
9310 type: string
9311 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
9312 required:
9313 - secretName
9314 selfSigned:
9315 type: object
9316 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
9317 properties:
9318 crlDistributionPoints:
9319 type: array
9320 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
9321 items:
9322 type: string
9323 vault:
9324 type: object
9325 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
9326 properties:
9327 namespace:
9328 type: string
9329 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
9330 auth:
9331 type: object
9332 description: Auth configures how cert-manager authenticates with the Vault server.
9333 properties:
9334 appRole:
9335 type: object
9336 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
9337 properties:
9338 secretRef:
9339 type: object
9340 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
9341 properties:
9342 name:
9343 type: string
9344 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9345 key:
9346 type: string
9347 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9348 required:
9349 - name
9350 path:
9351 type: string
9352 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
9353 roleId:
9354 type: string
9355 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
9356 required:
9357 - path
9358 - roleId
9359 - secretRef
9360 kubernetes:
9361 type: object
9362 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
9363 properties:
9364 mountPath:
9365 type: string
9366 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
9367 secretRef:
9368 type: object
9369 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
9370 properties:
9371 name:
9372 type: string
9373 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9374 key:
9375 type: string
9376 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9377 required:
9378 - name
9379 role:
9380 type: string
9381 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
9382 required:
9383 - role
9384 - secretRef
9385 tokenSecretRef:
9386 type: object
9387 description: TokenSecretRef authenticates with Vault by presenting a token.
9388 properties:
9389 name:
9390 type: string
9391 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9392 key:
9393 type: string
9394 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9395 required:
9396 - name
9397 caBundle:
9398 type: string
9399 description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
9400 format: byte
9401 path:
9402 type: string
9403 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
9404 server:
9405 type: string
9406 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
9407 required:
9408 - auth
9409 - path
9410 - server
9411 venafi:
9412 type: object
9413 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
9414 properties:
9415 cloud:
9416 type: object
9417 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
9418 properties:
9419 apiTokenSecretRef:
9420 type: object
9421 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
9422 properties:
9423 name:
9424 type: string
9425 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9426 key:
9427 type: string
9428 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9429 required:
9430 - name
9431 url:
9432 type: string
9433 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
9434 required:
9435 - apiTokenSecretRef
9436 tpp:
9437 type: object
9438 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
9439 properties:
9440 caBundle:
9441 type: string
9442 description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
9443 format: byte
9444 credentialsRef:
9445 type: object
9446 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
9447 properties:
9448 name:
9449 type: string
9450 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9451 required:
9452 - name
9453 url:
9454 type: string
9455 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
9456 required:
9457 - credentialsRef
9458 - url
9459 zone:
9460 type: string
9461 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
9462 required:
9463 - zone
9464 status:
9465 type: object
9466 description: Status of the ClusterIssuer. This is set and managed automatically.
9467 properties:
9468 acme:
9469 type: object
9470 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
9471 properties:
9472 lastRegisteredEmail:
9473 type: string
9474 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
9475 uri:
9476 type: string
9477 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
9478 conditions:
9479 type: array
9480 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
9481 items:
9482 type: object
9483 description: IssuerCondition contains condition information for an Issuer.
9484 properties:
9485 type:
9486 type: string
9487 description: Type of the condition, known values are (`Ready`).
9488 status:
9489 type: string
9490 description: Status of the condition, one of (`True`, `False`, `Unknown`).
9491 enum:
9492 - "True"
9493 - "False"
9494 - Unknown
9495 lastTransitionTime:
9496 type: string
9497 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
9498 format: date-time
9499 message:
9500 type: string
9501 description: Message is a human readable description of the details of the last transition, complementing reason.
9502 observedGeneration:
9503 type: integer
9504 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
9505 format: int64
9506 reason:
9507 type: string
9508 description: Reason is a brief machine readable explanation for the condition's last transition.
9509 required:
9510 - status
9511 - type
9512 served: true
9513 storage: false
9514 subresources:
9515 status: {}
9516 - name: v1beta1
9517 additionalPrinterColumns:
9518 - name: Ready
9519 type: string
9520 jsonPath: .status.conditions[?(@.type=="Ready")].status
9521 - name: Status
9522 type: string
9523 priority: 1
9524 jsonPath: .status.conditions[?(@.type=="Ready")].message
9525 - name: Age
9526 type: date
9527 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
9528 jsonPath: .metadata.creationTimestamp
9529 schema:
9530 openAPIV3Schema:
9531 type: object
9532 description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent.
9533 properties:
9534 apiVersion:
9535 type: string
9536 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
9537 kind:
9538 type: string
9539 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
9540 metadata:
9541 type: object
9542 spec:
9543 type: object
9544 description: Desired state of the ClusterIssuer resource.
9545 properties:
9546 acme:
9547 type: object
9548 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
9549 properties:
9550 disableAccountKeyGeneration:
9551 type: boolean
9552 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
9553 email:
9554 type: string
9555 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
9556 enableDurationFeature:
9557 type: boolean
9558 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
9559 externalAccountBinding:
9560 type: object
9561 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
9562 properties:
9563 keyAlgorithm:
9564 type: string
9565 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
9566 enum:
9567 - HS256
9568 - HS384
9569 - HS512
9570 keyID:
9571 type: string
9572 description: keyID is the ID of the CA key that the External Account is bound to.
9573 keySecretRef:
9574 type: object
9575 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
9576 properties:
9577 name:
9578 type: string
9579 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9580 key:
9581 type: string
9582 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9583 required:
9584 - name
9585 required:
9586 - keyID
9587 - keySecretRef
9588 preferredChain:
9589 type: string
9590 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
9591 maxLength: 64
9592 privateKeySecretRef:
9593 type: object
9594 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
9595 properties:
9596 name:
9597 type: string
9598 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9599 key:
9600 type: string
9601 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9602 required:
9603 - name
9604 server:
9605 type: string
9606 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
9607 skipTLSVerify:
9608 type: boolean
9609 description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
9610 solvers:
9611 type: array
9612 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
9613 items:
9614 type: object
9615 description: Configures an issuer to solve challenges using the specified options. Only one of HTTP01 or DNS01 may be provided.
9616 properties:
9617 selector:
9618 type: object
9619 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
9620 properties:
9621 dnsNames:
9622 type: array
9623 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
9624 items:
9625 type: string
9626 dnsZones:
9627 type: array
9628 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
9629 items:
9630 type: string
9631 matchLabels:
9632 type: object
9633 additionalProperties:
9634 type: string
9635 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
9636 dns01:
9637 type: object
9638 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
9639 properties:
9640 acmeDNS:
9641 type: object
9642 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
9643 properties:
9644 accountSecretRef:
9645 type: object
9646 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
9647 properties:
9648 name:
9649 type: string
9650 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9651 key:
9652 type: string
9653 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9654 required:
9655 - name
9656 host:
9657 type: string
9658 required:
9659 - accountSecretRef
9660 - host
9661 akamai:
9662 type: object
9663 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
9664 properties:
9665 accessTokenSecretRef:
9666 type: object
9667 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
9668 properties:
9669 name:
9670 type: string
9671 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9672 key:
9673 type: string
9674 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9675 required:
9676 - name
9677 clientSecretSecretRef:
9678 type: object
9679 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
9680 properties:
9681 name:
9682 type: string
9683 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9684 key:
9685 type: string
9686 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9687 required:
9688 - name
9689 clientTokenSecretRef:
9690 type: object
9691 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
9692 properties:
9693 name:
9694 type: string
9695 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9696 key:
9697 type: string
9698 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9699 required:
9700 - name
9701 serviceConsumerDomain:
9702 type: string
9703 required:
9704 - accessTokenSecretRef
9705 - clientSecretSecretRef
9706 - clientTokenSecretRef
9707 - serviceConsumerDomain
9708 azureDNS:
9709 type: object
9710 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
9711 properties:
9712 clientID:
9713 type: string
9714 description: if both this and ClientSecret are left unset MSI will be used
9715 clientSecretSecretRef:
9716 type: object
9717 description: if both this and ClientID are left unset MSI will be used
9718 properties:
9719 name:
9720 type: string
9721 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9722 key:
9723 type: string
9724 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9725 required:
9726 - name
9727 environment:
9728 type: string
9729 enum:
9730 - AzurePublicCloud
9731 - AzureChinaCloud
9732 - AzureGermanCloud
9733 - AzureUSGovernmentCloud
9734 hostedZoneName:
9735 type: string
9736 resourceGroupName:
9737 type: string
9738 subscriptionID:
9739 type: string
9740 tenantID:
9741 type: string
9742 description: when specifying ClientID and ClientSecret then this field is also needed
9743 required:
9744 - resourceGroupName
9745 - subscriptionID
9746 cloudDNS:
9747 type: object
9748 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
9749 properties:
9750 hostedZoneName:
9751 type: string
9752 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
9753 project:
9754 type: string
9755 serviceAccountSecretRef:
9756 type: object
9757 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
9758 properties:
9759 name:
9760 type: string
9761 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9762 key:
9763 type: string
9764 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9765 required:
9766 - name
9767 required:
9768 - project
9769 cloudflare:
9770 type: object
9771 description: Use the Cloudflare API to manage DNS01 challenge records.
9772 properties:
9773 apiKeySecretRef:
9774 type: object
9775 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
9776 properties:
9777 name:
9778 type: string
9779 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9780 key:
9781 type: string
9782 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9783 required:
9784 - name
9785 apiTokenSecretRef:
9786 type: object
9787 description: API token used to authenticate with Cloudflare.
9788 properties:
9789 name:
9790 type: string
9791 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9792 key:
9793 type: string
9794 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9795 required:
9796 - name
9797 email:
9798 type: string
9799 description: Email of the account, only required when using API key based authentication.
9800 cnameStrategy:
9801 type: string
9802 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
9803 enum:
9804 - None
9805 - Follow
9806 digitalocean:
9807 type: object
9808 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
9809 properties:
9810 tokenSecretRef:
9811 type: object
9812 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
9813 properties:
9814 name:
9815 type: string
9816 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9817 key:
9818 type: string
9819 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9820 required:
9821 - name
9822 required:
9823 - tokenSecretRef
9824 rfc2136:
9825 type: object
9826 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
9827 properties:
9828 nameserver:
9829 type: string
9830 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
9831 tsigAlgorithm:
9832 type: string
9833 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
9834 tsigKeyName:
9835 type: string
9836 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
9837 tsigSecretSecretRef:
9838 type: object
9839 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
9840 properties:
9841 name:
9842 type: string
9843 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9844 key:
9845 type: string
9846 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9847 required:
9848 - name
9849 required:
9850 - nameserver
9851 route53:
9852 type: object
9853 description: Use the AWS Route53 API to manage DNS01 challenge records.
9854 properties:
9855 accessKeyID:
9856 type: string
9857 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
9858 hostedZoneID:
9859 type: string
9860 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
9861 region:
9862 type: string
9863 description: Always set the region when using AccessKeyID and SecretAccessKey
9864 role:
9865 type: string
9866 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
9867 secretAccessKeySecretRef:
9868 type: object
9869 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
9870 properties:
9871 name:
9872 type: string
9873 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9874 key:
9875 type: string
9876 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9877 required:
9878 - name
9879 required:
9880 - region
9881 webhook:
9882 type: object
9883 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
9884 properties:
9885 config:
9886 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
9887 x-kubernetes-preserve-unknown-fields: true
9888 groupName:
9889 type: string
9890 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
9891 solverName:
9892 type: string
9893 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
9894 required:
9895 - groupName
9896 - solverName
9897 http01:
9898 type: object
9899 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
9900 properties:
9901 gatewayHTTPRoute:
9902 type: object
9903 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
9904 properties:
9905 labels:
9906 type: object
9907 additionalProperties:
9908 type: string
9909 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
9910 serviceType:
9911 type: string
9912 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
9913 ingress:
9914 type: object
9915 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
9916 properties:
9917 name:
9918 type: string
9919 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
9920 class:
9921 type: string
9922 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
9923 ingressTemplate:
9924 type: object
9925 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
9926 properties:
9927 metadata:
9928 type: object
9929 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
9930 properties:
9931 labels:
9932 type: object
9933 additionalProperties:
9934 type: string
9935 description: Labels that should be added to the created ACME HTTP01 solver ingress.
9936 annotations:
9937 type: object
9938 additionalProperties:
9939 type: string
9940 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
9941 podTemplate:
9942 type: object
9943 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges
9944 properties:
9945 metadata:
9946 type: object
9947 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
9948 properties:
9949 labels:
9950 type: object
9951 additionalProperties:
9952 type: string
9953 description: Labels that should be added to the created ACME HTTP01 solver pods.
9954 annotations:
9955 type: object
9956 additionalProperties:
9957 type: string
9958 description: Annotations that should be added to the create ACME HTTP01 solver pods.
9959 spec:
9960 type: object
9961 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
9962 properties:
9963 serviceAccountName:
9964 type: string
9965 description: If specified, the pod's service account
9966 priorityClassName:
9967 type: string
9968 description: If specified, the pod's priorityClassName.
9969 nodeSelector:
9970 type: object
9971 additionalProperties:
9972 type: string
9973 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
9974 affinity:
9975 type: object
9976 description: If specified, the pod's scheduling constraints
9977 properties:
9978 nodeAffinity:
9979 type: object
9980 description: Describes node affinity scheduling rules for the pod.
9981 properties:
9982 preferredDuringSchedulingIgnoredDuringExecution:
9983 type: array
9984 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
9985 items:
9986 type: object
9987 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
9988 properties:
9989 preference:
9990 type: object
9991 description: A node selector term, associated with the corresponding weight.
9992 properties:
9993 matchExpressions:
9994 type: array
9995 description: A list of node selector requirements by node's labels.
9996 items:
9997 type: object
9998 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
9999 properties:
10000 key:
10001 type: string
10002 description: The label key that the selector applies to.
10003 operator:
10004 type: string
10005 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
10006 values:
10007 type: array
10008 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
10009 items:
10010 type: string
10011 required:
10012 - key
10013 - operator
10014 matchFields:
10015 type: array
10016 description: A list of node selector requirements by node's fields.
10017 items:
10018 type: object
10019 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10020 properties:
10021 key:
10022 type: string
10023 description: The label key that the selector applies to.
10024 operator:
10025 type: string
10026 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
10027 values:
10028 type: array
10029 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
10030 items:
10031 type: string
10032 required:
10033 - key
10034 - operator
10035 weight:
10036 type: integer
10037 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
10038 format: int32
10039 required:
10040 - preference
10041 - weight
10042 requiredDuringSchedulingIgnoredDuringExecution:
10043 type: object
10044 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
10045 properties:
10046 nodeSelectorTerms:
10047 type: array
10048 description: Required. A list of node selector terms. The terms are ORed.
10049 items:
10050 type: object
10051 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
10052 properties:
10053 matchExpressions:
10054 type: array
10055 description: A list of node selector requirements by node's labels.
10056 items:
10057 type: object
10058 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10059 properties:
10060 key:
10061 type: string
10062 description: The label key that the selector applies to.
10063 operator:
10064 type: string
10065 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
10066 values:
10067 type: array
10068 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
10069 items:
10070 type: string
10071 required:
10072 - key
10073 - operator
10074 matchFields:
10075 type: array
10076 description: A list of node selector requirements by node's fields.
10077 items:
10078 type: object
10079 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10080 properties:
10081 key:
10082 type: string
10083 description: The label key that the selector applies to.
10084 operator:
10085 type: string
10086 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
10087 values:
10088 type: array
10089 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
10090 items:
10091 type: string
10092 required:
10093 - key
10094 - operator
10095 required:
10096 - nodeSelectorTerms
10097 podAffinity:
10098 type: object
10099 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
10100 properties:
10101 preferredDuringSchedulingIgnoredDuringExecution:
10102 type: array
10103 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
10104 items:
10105 type: object
10106 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
10107 properties:
10108 podAffinityTerm:
10109 type: object
10110 description: Required. A pod affinity term, associated with the corresponding weight.
10111 properties:
10112 labelSelector:
10113 type: object
10114 description: A label query over a set of resources, in this case pods.
10115 properties:
10116 matchExpressions:
10117 type: array
10118 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10119 items:
10120 type: object
10121 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10122 properties:
10123 key:
10124 type: string
10125 description: key is the label key that the selector applies to.
10126 operator:
10127 type: string
10128 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
10129 values:
10130 type: array
10131 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
10132 items:
10133 type: string
10134 required:
10135 - key
10136 - operator
10137 matchLabels:
10138 type: object
10139 additionalProperties:
10140 type: string
10141 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
10142 namespaceSelector:
10143 type: object
10144 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
10145 properties:
10146 matchExpressions:
10147 type: array
10148 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10149 items:
10150 type: object
10151 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10152 properties:
10153 key:
10154 type: string
10155 description: key is the label key that the selector applies to.
10156 operator:
10157 type: string
10158 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
10159 values:
10160 type: array
10161 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
10162 items:
10163 type: string
10164 required:
10165 - key
10166 - operator
10167 matchLabels:
10168 type: object
10169 additionalProperties:
10170 type: string
10171 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
10172 namespaces:
10173 type: array
10174 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
10175 items:
10176 type: string
10177 topologyKey:
10178 type: string
10179 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
10180 required:
10181 - topologyKey
10182 weight:
10183 type: integer
10184 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
10185 format: int32
10186 required:
10187 - podAffinityTerm
10188 - weight
10189 requiredDuringSchedulingIgnoredDuringExecution:
10190 type: array
10191 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
10192 items:
10193 type: object
10194 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
10195 properties:
10196 labelSelector:
10197 type: object
10198 description: A label query over a set of resources, in this case pods.
10199 properties:
10200 matchExpressions:
10201 type: array
10202 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10203 items:
10204 type: object
10205 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10206 properties:
10207 key:
10208 type: string
10209 description: key is the label key that the selector applies to.
10210 operator:
10211 type: string
10212 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
10213 values:
10214 type: array
10215 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
10216 items:
10217 type: string
10218 required:
10219 - key
10220 - operator
10221 matchLabels:
10222 type: object
10223 additionalProperties:
10224 type: string
10225 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
10226 namespaceSelector:
10227 type: object
10228 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
10229 properties:
10230 matchExpressions:
10231 type: array
10232 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10233 items:
10234 type: object
10235 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10236 properties:
10237 key:
10238 type: string
10239 description: key is the label key that the selector applies to.
10240 operator:
10241 type: string
10242 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
10243 values:
10244 type: array
10245 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
10246 items:
10247 type: string
10248 required:
10249 - key
10250 - operator
10251 matchLabels:
10252 type: object
10253 additionalProperties:
10254 type: string
10255 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
10256 namespaces:
10257 type: array
10258 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
10259 items:
10260 type: string
10261 topologyKey:
10262 type: string
10263 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
10264 required:
10265 - topologyKey
10266 podAntiAffinity:
10267 type: object
10268 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
10269 properties:
10270 preferredDuringSchedulingIgnoredDuringExecution:
10271 type: array
10272 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
10273 items:
10274 type: object
10275 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
10276 properties:
10277 podAffinityTerm:
10278 type: object
10279 description: Required. A pod affinity term, associated with the corresponding weight.
10280 properties:
10281 labelSelector:
10282 type: object
10283 description: A label query over a set of resources, in this case pods.
10284 properties:
10285 matchExpressions:
10286 type: array
10287 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10288 items:
10289 type: object
10290 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10291 properties:
10292 key:
10293 type: string
10294 description: key is the label key that the selector applies to.
10295 operator:
10296 type: string
10297 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
10298 values:
10299 type: array
10300 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
10301 items:
10302 type: string
10303 required:
10304 - key
10305 - operator
10306 matchLabels:
10307 type: object
10308 additionalProperties:
10309 type: string
10310 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
10311 namespaceSelector:
10312 type: object
10313 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
10314 properties:
10315 matchExpressions:
10316 type: array
10317 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10318 items:
10319 type: object
10320 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10321 properties:
10322 key:
10323 type: string
10324 description: key is the label key that the selector applies to.
10325 operator:
10326 type: string
10327 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
10328 values:
10329 type: array
10330 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
10331 items:
10332 type: string
10333 required:
10334 - key
10335 - operator
10336 matchLabels:
10337 type: object
10338 additionalProperties:
10339 type: string
10340 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
10341 namespaces:
10342 type: array
10343 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
10344 items:
10345 type: string
10346 topologyKey:
10347 type: string
10348 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
10349 required:
10350 - topologyKey
10351 weight:
10352 type: integer
10353 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
10354 format: int32
10355 required:
10356 - podAffinityTerm
10357 - weight
10358 requiredDuringSchedulingIgnoredDuringExecution:
10359 type: array
10360 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
10361 items:
10362 type: object
10363 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
10364 properties:
10365 labelSelector:
10366 type: object
10367 description: A label query over a set of resources, in this case pods.
10368 properties:
10369 matchExpressions:
10370 type: array
10371 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10372 items:
10373 type: object
10374 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10375 properties:
10376 key:
10377 type: string
10378 description: key is the label key that the selector applies to.
10379 operator:
10380 type: string
10381 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
10382 values:
10383 type: array
10384 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
10385 items:
10386 type: string
10387 required:
10388 - key
10389 - operator
10390 matchLabels:
10391 type: object
10392 additionalProperties:
10393 type: string
10394 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
10395 namespaceSelector:
10396 type: object
10397 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
10398 properties:
10399 matchExpressions:
10400 type: array
10401 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10402 items:
10403 type: object
10404 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10405 properties:
10406 key:
10407 type: string
10408 description: key is the label key that the selector applies to.
10409 operator:
10410 type: string
10411 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
10412 values:
10413 type: array
10414 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
10415 items:
10416 type: string
10417 required:
10418 - key
10419 - operator
10420 matchLabels:
10421 type: object
10422 additionalProperties:
10423 type: string
10424 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
10425 namespaces:
10426 type: array
10427 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
10428 items:
10429 type: string
10430 topologyKey:
10431 type: string
10432 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
10433 required:
10434 - topologyKey
10435 tolerations:
10436 type: array
10437 description: If specified, the pod's tolerations.
10438 items:
10439 type: object
10440 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
10441 properties:
10442 value:
10443 type: string
10444 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
10445 effect:
10446 type: string
10447 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
10448 key:
10449 type: string
10450 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
10451 operator:
10452 type: string
10453 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
10454 tolerationSeconds:
10455 type: integer
10456 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
10457 format: int64
10458 serviceType:
10459 type: string
10460 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
10461 required:
10462 - privateKeySecretRef
10463 - server
10464 ca:
10465 type: object
10466 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
10467 properties:
10468 crlDistributionPoints:
10469 type: array
10470 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
10471 items:
10472 type: string
10473 ocspServers:
10474 type: array
10475 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
10476 items:
10477 type: string
10478 secretName:
10479 type: string
10480 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
10481 required:
10482 - secretName
10483 selfSigned:
10484 type: object
10485 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
10486 properties:
10487 crlDistributionPoints:
10488 type: array
10489 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
10490 items:
10491 type: string
10492 vault:
10493 type: object
10494 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
10495 properties:
10496 namespace:
10497 type: string
10498 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
10499 auth:
10500 type: object
10501 description: Auth configures how cert-manager authenticates with the Vault server.
10502 properties:
10503 appRole:
10504 type: object
10505 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
10506 properties:
10507 secretRef:
10508 type: object
10509 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
10510 properties:
10511 name:
10512 type: string
10513 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10514 key:
10515 type: string
10516 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10517 required:
10518 - name
10519 path:
10520 type: string
10521 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
10522 roleId:
10523 type: string
10524 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
10525 required:
10526 - path
10527 - roleId
10528 - secretRef
10529 kubernetes:
10530 type: object
10531 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
10532 properties:
10533 mountPath:
10534 type: string
10535 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
10536 secretRef:
10537 type: object
10538 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
10539 properties:
10540 name:
10541 type: string
10542 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10543 key:
10544 type: string
10545 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10546 required:
10547 - name
10548 role:
10549 type: string
10550 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
10551 required:
10552 - role
10553 - secretRef
10554 tokenSecretRef:
10555 type: object
10556 description: TokenSecretRef authenticates with Vault by presenting a token.
10557 properties:
10558 name:
10559 type: string
10560 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10561 key:
10562 type: string
10563 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10564 required:
10565 - name
10566 caBundle:
10567 type: string
10568 description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
10569 format: byte
10570 path:
10571 type: string
10572 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
10573 server:
10574 type: string
10575 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
10576 required:
10577 - auth
10578 - path
10579 - server
10580 venafi:
10581 type: object
10582 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
10583 properties:
10584 cloud:
10585 type: object
10586 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
10587 properties:
10588 apiTokenSecretRef:
10589 type: object
10590 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
10591 properties:
10592 name:
10593 type: string
10594 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10595 key:
10596 type: string
10597 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10598 required:
10599 - name
10600 url:
10601 type: string
10602 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
10603 required:
10604 - apiTokenSecretRef
10605 tpp:
10606 type: object
10607 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
10608 properties:
10609 caBundle:
10610 type: string
10611 description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
10612 format: byte
10613 credentialsRef:
10614 type: object
10615 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
10616 properties:
10617 name:
10618 type: string
10619 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10620 required:
10621 - name
10622 url:
10623 type: string
10624 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
10625 required:
10626 - credentialsRef
10627 - url
10628 zone:
10629 type: string
10630 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
10631 required:
10632 - zone
10633 status:
10634 type: object
10635 description: Status of the ClusterIssuer. This is set and managed automatically.
10636 properties:
10637 acme:
10638 type: object
10639 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
10640 properties:
10641 lastRegisteredEmail:
10642 type: string
10643 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
10644 uri:
10645 type: string
10646 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
10647 conditions:
10648 type: array
10649 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
10650 items:
10651 type: object
10652 description: IssuerCondition contains condition information for an Issuer.
10653 properties:
10654 type:
10655 type: string
10656 description: Type of the condition, known values are (`Ready`).
10657 status:
10658 type: string
10659 description: Status of the condition, one of (`True`, `False`, `Unknown`).
10660 enum:
10661 - "True"
10662 - "False"
10663 - Unknown
10664 lastTransitionTime:
10665 type: string
10666 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
10667 format: date-time
10668 message:
10669 type: string
10670 description: Message is a human readable description of the details of the last transition, complementing reason.
10671 observedGeneration:
10672 type: integer
10673 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
10674 format: int64
10675 reason:
10676 type: string
10677 description: Reason is a brief machine readable explanation for the condition's last transition.
10678 required:
10679 - status
10680 - type
10681 required:
10682 - spec
10683 served: true
10684 storage: false
10685 subresources:
10686 status: {}
10687---
10688# Source: cert-manager/templates/templates.out
10689apiVersion: apiextensions.k8s.io/v1
10690kind: CustomResourceDefinition
10691metadata:
10692 name: issuers.cert-manager.io
10693 labels:
10694 app: 'cert-manager'
10695 app.kubernetes.io/instance: 'cert-manager'
10696 app.kubernetes.io/name: 'cert-manager'
10697 # Generated labels
10698 app.kubernetes.io/version: "v1.5.4"
10699 annotations:
10700 cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
10701 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
10702 pallet.edge.ncr.com/name: cert-manager
10703 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
10704 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
10705 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
10706 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
10707spec:
10708 conversion:
10709 # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
10710 strategy: Webhook
10711 # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
10712 webhook:
10713 clientConfig:
10714 #
10715 service:
10716 name: 'cert-manager-webhook'
10717 namespace: "cert-manager"
10718 path: /convert
10719 #
10720 # We don't actually support `v1beta1` but is listed here as it is a
10721 # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The
10722 # API server reads the supported versions in order, so _should always_
10723 # attempt a `v1` request which is understood by the cert-manager webhook.
10724 # Any `v1beta1` request will return an error and fail closed for that
10725 # resource (the whole object request is rejected).
10726 # When we no longer support v1.16 we can remove `v1beta1` from this list.
10727 conversionReviewVersions: ["v1", "v1beta1"]
10728 group: cert-manager.io
10729 names:
10730 kind: Issuer
10731 categories:
10732 - cert-manager
10733 listKind: IssuerList
10734 plural: issuers
10735 singular: issuer
10736 scope: Namespaced
10737 versions:
10738 - name: v1
10739 additionalPrinterColumns:
10740 - name: Ready
10741 type: string
10742 jsonPath: .status.conditions[?(@.type=="Ready")].status
10743 - name: Status
10744 type: string
10745 priority: 1
10746 jsonPath: .status.conditions[?(@.type=="Ready")].message
10747 - name: Age
10748 type: date
10749 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
10750 jsonPath: .metadata.creationTimestamp
10751 schema:
10752 openAPIV3Schema:
10753 type: object
10754 description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace.
10755 properties:
10756 apiVersion:
10757 type: string
10758 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
10759 kind:
10760 type: string
10761 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
10762 metadata:
10763 type: object
10764 spec:
10765 type: object
10766 description: Desired state of the Issuer resource.
10767 properties:
10768 acme:
10769 type: object
10770 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
10771 properties:
10772 disableAccountKeyGeneration:
10773 type: boolean
10774 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
10775 email:
10776 type: string
10777 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
10778 enableDurationFeature:
10779 type: boolean
10780 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
10781 externalAccountBinding:
10782 type: object
10783 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
10784 properties:
10785 keyAlgorithm:
10786 type: string
10787 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
10788 enum:
10789 - HS256
10790 - HS384
10791 - HS512
10792 keyID:
10793 type: string
10794 description: keyID is the ID of the CA key that the External Account is bound to.
10795 keySecretRef:
10796 type: object
10797 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
10798 properties:
10799 name:
10800 type: string
10801 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10802 key:
10803 type: string
10804 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10805 required:
10806 - name
10807 required:
10808 - keyID
10809 - keySecretRef
10810 preferredChain:
10811 type: string
10812 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
10813 maxLength: 64
10814 privateKeySecretRef:
10815 type: object
10816 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
10817 properties:
10818 name:
10819 type: string
10820 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10821 key:
10822 type: string
10823 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10824 required:
10825 - name
10826 server:
10827 type: string
10828 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
10829 skipTLSVerify:
10830 type: boolean
10831 description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
10832 solvers:
10833 type: array
10834 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
10835 items:
10836 type: object
10837 description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided.
10838 properties:
10839 selector:
10840 type: object
10841 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
10842 properties:
10843 dnsNames:
10844 type: array
10845 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
10846 items:
10847 type: string
10848 dnsZones:
10849 type: array
10850 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
10851 items:
10852 type: string
10853 matchLabels:
10854 type: object
10855 additionalProperties:
10856 type: string
10857 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
10858 dns01:
10859 type: object
10860 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
10861 properties:
10862 acmeDNS:
10863 type: object
10864 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
10865 properties:
10866 accountSecretRef:
10867 type: object
10868 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
10869 properties:
10870 name:
10871 type: string
10872 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10873 key:
10874 type: string
10875 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10876 required:
10877 - name
10878 host:
10879 type: string
10880 required:
10881 - accountSecretRef
10882 - host
10883 akamai:
10884 type: object
10885 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
10886 properties:
10887 accessTokenSecretRef:
10888 type: object
10889 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
10890 properties:
10891 name:
10892 type: string
10893 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10894 key:
10895 type: string
10896 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10897 required:
10898 - name
10899 clientSecretSecretRef:
10900 type: object
10901 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
10902 properties:
10903 name:
10904 type: string
10905 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10906 key:
10907 type: string
10908 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10909 required:
10910 - name
10911 clientTokenSecretRef:
10912 type: object
10913 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
10914 properties:
10915 name:
10916 type: string
10917 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10918 key:
10919 type: string
10920 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10921 required:
10922 - name
10923 serviceConsumerDomain:
10924 type: string
10925 required:
10926 - accessTokenSecretRef
10927 - clientSecretSecretRef
10928 - clientTokenSecretRef
10929 - serviceConsumerDomain
10930 azureDNS:
10931 type: object
10932 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
10933 properties:
10934 clientID:
10935 type: string
10936 description: if both this and ClientSecret are left unset MSI will be used
10937 clientSecretSecretRef:
10938 type: object
10939 description: if both this and ClientID are left unset MSI will be used
10940 properties:
10941 name:
10942 type: string
10943 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10944 key:
10945 type: string
10946 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10947 required:
10948 - name
10949 environment:
10950 type: string
10951 enum:
10952 - AzurePublicCloud
10953 - AzureChinaCloud
10954 - AzureGermanCloud
10955 - AzureUSGovernmentCloud
10956 hostedZoneName:
10957 type: string
10958 resourceGroupName:
10959 type: string
10960 subscriptionID:
10961 type: string
10962 tenantID:
10963 type: string
10964 description: when specifying ClientID and ClientSecret then this field is also needed
10965 required:
10966 - resourceGroupName
10967 - subscriptionID
10968 cloudDNS:
10969 type: object
10970 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
10971 properties:
10972 hostedZoneName:
10973 type: string
10974 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
10975 project:
10976 type: string
10977 serviceAccountSecretRef:
10978 type: object
10979 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
10980 properties:
10981 name:
10982 type: string
10983 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10984 key:
10985 type: string
10986 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10987 required:
10988 - name
10989 required:
10990 - project
10991 cloudflare:
10992 type: object
10993 description: Use the Cloudflare API to manage DNS01 challenge records.
10994 properties:
10995 apiKeySecretRef:
10996 type: object
10997 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
10998 properties:
10999 name:
11000 type: string
11001 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11002 key:
11003 type: string
11004 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11005 required:
11006 - name
11007 apiTokenSecretRef:
11008 type: object
11009 description: API token used to authenticate with Cloudflare.
11010 properties:
11011 name:
11012 type: string
11013 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11014 key:
11015 type: string
11016 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11017 required:
11018 - name
11019 email:
11020 type: string
11021 description: Email of the account, only required when using API key based authentication.
11022 cnameStrategy:
11023 type: string
11024 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
11025 enum:
11026 - None
11027 - Follow
11028 digitalocean:
11029 type: object
11030 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
11031 properties:
11032 tokenSecretRef:
11033 type: object
11034 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
11035 properties:
11036 name:
11037 type: string
11038 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11039 key:
11040 type: string
11041 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11042 required:
11043 - name
11044 required:
11045 - tokenSecretRef
11046 rfc2136:
11047 type: object
11048 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
11049 properties:
11050 nameserver:
11051 type: string
11052 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
11053 tsigAlgorithm:
11054 type: string
11055 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
11056 tsigKeyName:
11057 type: string
11058 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
11059 tsigSecretSecretRef:
11060 type: object
11061 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
11062 properties:
11063 name:
11064 type: string
11065 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11066 key:
11067 type: string
11068 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11069 required:
11070 - name
11071 required:
11072 - nameserver
11073 route53:
11074 type: object
11075 description: Use the AWS Route53 API to manage DNS01 challenge records.
11076 properties:
11077 accessKeyID:
11078 type: string
11079 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
11080 hostedZoneID:
11081 type: string
11082 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
11083 region:
11084 type: string
11085 description: Always set the region when using AccessKeyID and SecretAccessKey
11086 role:
11087 type: string
11088 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
11089 secretAccessKeySecretRef:
11090 type: object
11091 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
11092 properties:
11093 name:
11094 type: string
11095 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11096 key:
11097 type: string
11098 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11099 required:
11100 - name
11101 required:
11102 - region
11103 webhook:
11104 type: object
11105 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
11106 properties:
11107 config:
11108 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
11109 x-kubernetes-preserve-unknown-fields: true
11110 groupName:
11111 type: string
11112 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
11113 solverName:
11114 type: string
11115 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
11116 required:
11117 - groupName
11118 - solverName
11119 http01:
11120 type: object
11121 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
11122 properties:
11123 gatewayHTTPRoute:
11124 type: object
11125 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
11126 properties:
11127 labels:
11128 type: object
11129 additionalProperties:
11130 type: string
11131 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
11132 serviceType:
11133 type: string
11134 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
11135 ingress:
11136 type: object
11137 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
11138 properties:
11139 name:
11140 type: string
11141 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
11142 class:
11143 type: string
11144 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
11145 ingressTemplate:
11146 type: object
11147 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
11148 properties:
11149 metadata:
11150 type: object
11151 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
11152 properties:
11153 labels:
11154 type: object
11155 additionalProperties:
11156 type: string
11157 description: Labels that should be added to the created ACME HTTP01 solver ingress.
11158 annotations:
11159 type: object
11160 additionalProperties:
11161 type: string
11162 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
11163 podTemplate:
11164 type: object
11165 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
11166 properties:
11167 metadata:
11168 type: object
11169 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
11170 properties:
11171 labels:
11172 type: object
11173 additionalProperties:
11174 type: string
11175 description: Labels that should be added to the created ACME HTTP01 solver pods.
11176 annotations:
11177 type: object
11178 additionalProperties:
11179 type: string
11180 description: Annotations that should be added to the create ACME HTTP01 solver pods.
11181 spec:
11182 type: object
11183 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
11184 properties:
11185 serviceAccountName:
11186 type: string
11187 description: If specified, the pod's service account
11188 priorityClassName:
11189 type: string
11190 description: If specified, the pod's priorityClassName.
11191 nodeSelector:
11192 type: object
11193 additionalProperties:
11194 type: string
11195 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
11196 affinity:
11197 type: object
11198 description: If specified, the pod's scheduling constraints
11199 properties:
11200 nodeAffinity:
11201 type: object
11202 description: Describes node affinity scheduling rules for the pod.
11203 properties:
11204 preferredDuringSchedulingIgnoredDuringExecution:
11205 type: array
11206 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
11207 items:
11208 type: object
11209 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
11210 properties:
11211 preference:
11212 type: object
11213 description: A node selector term, associated with the corresponding weight.
11214 properties:
11215 matchExpressions:
11216 type: array
11217 description: A list of node selector requirements by node's labels.
11218 items:
11219 type: object
11220 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11221 properties:
11222 key:
11223 type: string
11224 description: The label key that the selector applies to.
11225 operator:
11226 type: string
11227 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
11228 values:
11229 type: array
11230 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
11231 items:
11232 type: string
11233 required:
11234 - key
11235 - operator
11236 matchFields:
11237 type: array
11238 description: A list of node selector requirements by node's fields.
11239 items:
11240 type: object
11241 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11242 properties:
11243 key:
11244 type: string
11245 description: The label key that the selector applies to.
11246 operator:
11247 type: string
11248 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
11249 values:
11250 type: array
11251 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
11252 items:
11253 type: string
11254 required:
11255 - key
11256 - operator
11257 weight:
11258 type: integer
11259 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
11260 format: int32
11261 required:
11262 - preference
11263 - weight
11264 requiredDuringSchedulingIgnoredDuringExecution:
11265 type: object
11266 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
11267 properties:
11268 nodeSelectorTerms:
11269 type: array
11270 description: Required. A list of node selector terms. The terms are ORed.
11271 items:
11272 type: object
11273 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
11274 properties:
11275 matchExpressions:
11276 type: array
11277 description: A list of node selector requirements by node's labels.
11278 items:
11279 type: object
11280 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11281 properties:
11282 key:
11283 type: string
11284 description: The label key that the selector applies to.
11285 operator:
11286 type: string
11287 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
11288 values:
11289 type: array
11290 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
11291 items:
11292 type: string
11293 required:
11294 - key
11295 - operator
11296 matchFields:
11297 type: array
11298 description: A list of node selector requirements by node's fields.
11299 items:
11300 type: object
11301 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11302 properties:
11303 key:
11304 type: string
11305 description: The label key that the selector applies to.
11306 operator:
11307 type: string
11308 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
11309 values:
11310 type: array
11311 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
11312 items:
11313 type: string
11314 required:
11315 - key
11316 - operator
11317 required:
11318 - nodeSelectorTerms
11319 podAffinity:
11320 type: object
11321 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
11322 properties:
11323 preferredDuringSchedulingIgnoredDuringExecution:
11324 type: array
11325 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
11326 items:
11327 type: object
11328 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
11329 properties:
11330 podAffinityTerm:
11331 type: object
11332 description: Required. A pod affinity term, associated with the corresponding weight.
11333 properties:
11334 labelSelector:
11335 type: object
11336 description: A label query over a set of resources, in this case pods.
11337 properties:
11338 matchExpressions:
11339 type: array
11340 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
11341 items:
11342 type: object
11343 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11344 properties:
11345 key:
11346 type: string
11347 description: key is the label key that the selector applies to.
11348 operator:
11349 type: string
11350 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
11351 values:
11352 type: array
11353 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
11354 items:
11355 type: string
11356 required:
11357 - key
11358 - operator
11359 matchLabels:
11360 type: object
11361 additionalProperties:
11362 type: string
11363 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
11364 namespaceSelector:
11365 type: object
11366 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
11367 properties:
11368 matchExpressions:
11369 type: array
11370 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
11371 items:
11372 type: object
11373 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11374 properties:
11375 key:
11376 type: string
11377 description: key is the label key that the selector applies to.
11378 operator:
11379 type: string
11380 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
11381 values:
11382 type: array
11383 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
11384 items:
11385 type: string
11386 required:
11387 - key
11388 - operator
11389 matchLabels:
11390 type: object
11391 additionalProperties:
11392 type: string
11393 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
11394 namespaces:
11395 type: array
11396 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
11397 items:
11398 type: string
11399 topologyKey:
11400 type: string
11401 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
11402 required:
11403 - topologyKey
11404 weight:
11405 type: integer
11406 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
11407 format: int32
11408 required:
11409 - podAffinityTerm
11410 - weight
11411 requiredDuringSchedulingIgnoredDuringExecution:
11412 type: array
11413 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
11414 items:
11415 type: object
11416 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
11417 properties:
11418 labelSelector:
11419 type: object
11420 description: A label query over a set of resources, in this case pods.
11421 properties:
11422 matchExpressions:
11423 type: array
11424 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
11425 items:
11426 type: object
11427 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11428 properties:
11429 key:
11430 type: string
11431 description: key is the label key that the selector applies to.
11432 operator:
11433 type: string
11434 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
11435 values:
11436 type: array
11437 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
11438 items:
11439 type: string
11440 required:
11441 - key
11442 - operator
11443 matchLabels:
11444 type: object
11445 additionalProperties:
11446 type: string
11447 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
11448 namespaceSelector:
11449 type: object
11450 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
11451 properties:
11452 matchExpressions:
11453 type: array
11454 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
11455 items:
11456 type: object
11457 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11458 properties:
11459 key:
11460 type: string
11461 description: key is the label key that the selector applies to.
11462 operator:
11463 type: string
11464 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
11465 values:
11466 type: array
11467 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
11468 items:
11469 type: string
11470 required:
11471 - key
11472 - operator
11473 matchLabels:
11474 type: object
11475 additionalProperties:
11476 type: string
11477 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
11478 namespaces:
11479 type: array
11480 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
11481 items:
11482 type: string
11483 topologyKey:
11484 type: string
11485 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
11486 required:
11487 - topologyKey
11488 podAntiAffinity:
11489 type: object
11490 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
11491 properties:
11492 preferredDuringSchedulingIgnoredDuringExecution:
11493 type: array
11494 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
11495 items:
11496 type: object
11497 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
11498 properties:
11499 podAffinityTerm:
11500 type: object
11501 description: Required. A pod affinity term, associated with the corresponding weight.
11502 properties:
11503 labelSelector:
11504 type: object
11505 description: A label query over a set of resources, in this case pods.
11506 properties:
11507 matchExpressions:
11508 type: array
11509 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
11510 items:
11511 type: object
11512 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11513 properties:
11514 key:
11515 type: string
11516 description: key is the label key that the selector applies to.
11517 operator:
11518 type: string
11519 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
11520 values:
11521 type: array
11522 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
11523 items:
11524 type: string
11525 required:
11526 - key
11527 - operator
11528 matchLabels:
11529 type: object
11530 additionalProperties:
11531 type: string
11532 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
11533 namespaceSelector:
11534 type: object
11535 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
11536 properties:
11537 matchExpressions:
11538 type: array
11539 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
11540 items:
11541 type: object
11542 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11543 properties:
11544 key:
11545 type: string
11546 description: key is the label key that the selector applies to.
11547 operator:
11548 type: string
11549 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
11550 values:
11551 type: array
11552 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
11553 items:
11554 type: string
11555 required:
11556 - key
11557 - operator
11558 matchLabels:
11559 type: object
11560 additionalProperties:
11561 type: string
11562 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
11563 namespaces:
11564 type: array
11565 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
11566 items:
11567 type: string
11568 topologyKey:
11569 type: string
11570 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
11571 required:
11572 - topologyKey
11573 weight:
11574 type: integer
11575 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
11576 format: int32
11577 required:
11578 - podAffinityTerm
11579 - weight
11580 requiredDuringSchedulingIgnoredDuringExecution:
11581 type: array
11582 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
11583 items:
11584 type: object
11585 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
11586 properties:
11587 labelSelector:
11588 type: object
11589 description: A label query over a set of resources, in this case pods.
11590 properties:
11591 matchExpressions:
11592 type: array
11593 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
11594 items:
11595 type: object
11596 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11597 properties:
11598 key:
11599 type: string
11600 description: key is the label key that the selector applies to.
11601 operator:
11602 type: string
11603 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
11604 values:
11605 type: array
11606 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
11607 items:
11608 type: string
11609 required:
11610 - key
11611 - operator
11612 matchLabels:
11613 type: object
11614 additionalProperties:
11615 type: string
11616 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
11617 namespaceSelector:
11618 type: object
11619 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
11620 properties:
11621 matchExpressions:
11622 type: array
11623 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
11624 items:
11625 type: object
11626 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11627 properties:
11628 key:
11629 type: string
11630 description: key is the label key that the selector applies to.
11631 operator:
11632 type: string
11633 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
11634 values:
11635 type: array
11636 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
11637 items:
11638 type: string
11639 required:
11640 - key
11641 - operator
11642 matchLabels:
11643 type: object
11644 additionalProperties:
11645 type: string
11646 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
11647 namespaces:
11648 type: array
11649 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
11650 items:
11651 type: string
11652 topologyKey:
11653 type: string
11654 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
11655 required:
11656 - topologyKey
11657 tolerations:
11658 type: array
11659 description: If specified, the pod's tolerations.
11660 items:
11661 type: object
11662 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
11663 properties:
11664 value:
11665 type: string
11666 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
11667 effect:
11668 type: string
11669 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
11670 key:
11671 type: string
11672 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
11673 operator:
11674 type: string
11675 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
11676 tolerationSeconds:
11677 type: integer
11678 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
11679 format: int64
11680 serviceType:
11681 type: string
11682 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
11683 required:
11684 - privateKeySecretRef
11685 - server
11686 ca:
11687 type: object
11688 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
11689 properties:
11690 crlDistributionPoints:
11691 type: array
11692 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
11693 items:
11694 type: string
11695 ocspServers:
11696 type: array
11697 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
11698 items:
11699 type: string
11700 secretName:
11701 type: string
11702 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
11703 required:
11704 - secretName
11705 selfSigned:
11706 type: object
11707 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
11708 properties:
11709 crlDistributionPoints:
11710 type: array
11711 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
11712 items:
11713 type: string
11714 vault:
11715 type: object
11716 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
11717 properties:
11718 namespace:
11719 type: string
11720 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
11721 auth:
11722 type: object
11723 description: Auth configures how cert-manager authenticates with the Vault server.
11724 properties:
11725 appRole:
11726 type: object
11727 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
11728 properties:
11729 secretRef:
11730 type: object
11731 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
11732 properties:
11733 name:
11734 type: string
11735 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11736 key:
11737 type: string
11738 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11739 required:
11740 - name
11741 path:
11742 type: string
11743 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
11744 roleId:
11745 type: string
11746 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
11747 required:
11748 - path
11749 - roleId
11750 - secretRef
11751 kubernetes:
11752 type: object
11753 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
11754 properties:
11755 mountPath:
11756 type: string
11757 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
11758 secretRef:
11759 type: object
11760 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
11761 properties:
11762 name:
11763 type: string
11764 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11765 key:
11766 type: string
11767 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11768 required:
11769 - name
11770 role:
11771 type: string
11772 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
11773 required:
11774 - role
11775 - secretRef
11776 tokenSecretRef:
11777 type: object
11778 description: TokenSecretRef authenticates with Vault by presenting a token.
11779 properties:
11780 name:
11781 type: string
11782 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11783 key:
11784 type: string
11785 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11786 required:
11787 - name
11788 caBundle:
11789 type: string
11790 description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
11791 format: byte
11792 path:
11793 type: string
11794 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
11795 server:
11796 type: string
11797 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
11798 required:
11799 - auth
11800 - path
11801 - server
11802 venafi:
11803 type: object
11804 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
11805 properties:
11806 cloud:
11807 type: object
11808 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
11809 properties:
11810 apiTokenSecretRef:
11811 type: object
11812 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
11813 properties:
11814 name:
11815 type: string
11816 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11817 key:
11818 type: string
11819 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11820 required:
11821 - name
11822 url:
11823 type: string
11824 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
11825 required:
11826 - apiTokenSecretRef
11827 tpp:
11828 type: object
11829 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
11830 properties:
11831 caBundle:
11832 type: string
11833 description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
11834 format: byte
11835 credentialsRef:
11836 type: object
11837 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
11838 properties:
11839 name:
11840 type: string
11841 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11842 required:
11843 - name
11844 url:
11845 type: string
11846 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
11847 required:
11848 - credentialsRef
11849 - url
11850 zone:
11851 type: string
11852 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
11853 required:
11854 - zone
11855 status:
11856 type: object
11857 description: Status of the Issuer. This is set and managed automatically.
11858 properties:
11859 acme:
11860 type: object
11861 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
11862 properties:
11863 lastRegisteredEmail:
11864 type: string
11865 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
11866 uri:
11867 type: string
11868 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
11869 conditions:
11870 type: array
11871 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
11872 items:
11873 type: object
11874 description: IssuerCondition contains condition information for an Issuer.
11875 properties:
11876 type:
11877 type: string
11878 description: Type of the condition, known values are (`Ready`).
11879 status:
11880 type: string
11881 description: Status of the condition, one of (`True`, `False`, `Unknown`).
11882 enum:
11883 - "True"
11884 - "False"
11885 - Unknown
11886 lastTransitionTime:
11887 type: string
11888 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
11889 format: date-time
11890 message:
11891 type: string
11892 description: Message is a human readable description of the details of the last transition, complementing reason.
11893 observedGeneration:
11894 type: integer
11895 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
11896 format: int64
11897 reason:
11898 type: string
11899 description: Reason is a brief machine readable explanation for the condition's last transition.
11900 required:
11901 - status
11902 - type
11903 required:
11904 - spec
11905 served: true
11906 storage: true
11907 subresources:
11908 status: {}
11909 - name: v1alpha2
11910 additionalPrinterColumns:
11911 - name: Ready
11912 type: string
11913 jsonPath: .status.conditions[?(@.type=="Ready")].status
11914 - name: Status
11915 type: string
11916 priority: 1
11917 jsonPath: .status.conditions[?(@.type=="Ready")].message
11918 - name: Age
11919 type: date
11920 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
11921 jsonPath: .metadata.creationTimestamp
11922 schema:
11923 openAPIV3Schema:
11924 type: object
11925 description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace.
11926 properties:
11927 apiVersion:
11928 type: string
11929 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
11930 kind:
11931 type: string
11932 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
11933 metadata:
11934 type: object
11935 spec:
11936 type: object
11937 description: Desired state of the Issuer resource.
11938 properties:
11939 acme:
11940 type: object
11941 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
11942 properties:
11943 disableAccountKeyGeneration:
11944 type: boolean
11945 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
11946 email:
11947 type: string
11948 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
11949 enableDurationFeature:
11950 type: boolean
11951 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
11952 externalAccountBinding:
11953 type: object
11954 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
11955 properties:
11956 keyAlgorithm:
11957 type: string
11958 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
11959 enum:
11960 - HS256
11961 - HS384
11962 - HS512
11963 keyID:
11964 type: string
11965 description: keyID is the ID of the CA key that the External Account is bound to.
11966 keySecretRef:
11967 type: object
11968 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
11969 properties:
11970 name:
11971 type: string
11972 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11973 key:
11974 type: string
11975 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11976 required:
11977 - name
11978 required:
11979 - keyID
11980 - keySecretRef
11981 preferredChain:
11982 type: string
11983 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
11984 maxLength: 64
11985 privateKeySecretRef:
11986 type: object
11987 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
11988 properties:
11989 name:
11990 type: string
11991 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11992 key:
11993 type: string
11994 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11995 required:
11996 - name
11997 server:
11998 type: string
11999 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
12000 skipTLSVerify:
12001 type: boolean
12002 description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
12003 solvers:
12004 type: array
12005 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
12006 items:
12007 type: object
12008 description: Configures an issuer to solve challenges using the specified options. Only one of HTTP01 or DNS01 may be provided.
12009 properties:
12010 selector:
12011 type: object
12012 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
12013 properties:
12014 dnsNames:
12015 type: array
12016 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
12017 items:
12018 type: string
12019 dnsZones:
12020 type: array
12021 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
12022 items:
12023 type: string
12024 matchLabels:
12025 type: object
12026 additionalProperties:
12027 type: string
12028 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
12029 dns01:
12030 type: object
12031 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
12032 properties:
12033 acmedns:
12034 type: object
12035 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
12036 properties:
12037 accountSecretRef:
12038 type: object
12039 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
12040 properties:
12041 name:
12042 type: string
12043 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12044 key:
12045 type: string
12046 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12047 required:
12048 - name
12049 host:
12050 type: string
12051 required:
12052 - accountSecretRef
12053 - host
12054 akamai:
12055 type: object
12056 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
12057 properties:
12058 accessTokenSecretRef:
12059 type: object
12060 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
12061 properties:
12062 name:
12063 type: string
12064 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12065 key:
12066 type: string
12067 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12068 required:
12069 - name
12070 clientSecretSecretRef:
12071 type: object
12072 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
12073 properties:
12074 name:
12075 type: string
12076 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12077 key:
12078 type: string
12079 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12080 required:
12081 - name
12082 clientTokenSecretRef:
12083 type: object
12084 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
12085 properties:
12086 name:
12087 type: string
12088 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12089 key:
12090 type: string
12091 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12092 required:
12093 - name
12094 serviceConsumerDomain:
12095 type: string
12096 required:
12097 - accessTokenSecretRef
12098 - clientSecretSecretRef
12099 - clientTokenSecretRef
12100 - serviceConsumerDomain
12101 azuredns:
12102 type: object
12103 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
12104 properties:
12105 clientID:
12106 type: string
12107 description: if both this and ClientSecret are left unset MSI will be used
12108 clientSecretSecretRef:
12109 type: object
12110 description: if both this and ClientID are left unset MSI will be used
12111 properties:
12112 name:
12113 type: string
12114 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12115 key:
12116 type: string
12117 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12118 required:
12119 - name
12120 environment:
12121 type: string
12122 enum:
12123 - AzurePublicCloud
12124 - AzureChinaCloud
12125 - AzureGermanCloud
12126 - AzureUSGovernmentCloud
12127 hostedZoneName:
12128 type: string
12129 resourceGroupName:
12130 type: string
12131 subscriptionID:
12132 type: string
12133 tenantID:
12134 type: string
12135 description: when specifying ClientID and ClientSecret then this field is also needed
12136 required:
12137 - resourceGroupName
12138 - subscriptionID
12139 clouddns:
12140 type: object
12141 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
12142 properties:
12143 hostedZoneName:
12144 type: string
12145 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
12146 project:
12147 type: string
12148 serviceAccountSecretRef:
12149 type: object
12150 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
12151 properties:
12152 name:
12153 type: string
12154 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12155 key:
12156 type: string
12157 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12158 required:
12159 - name
12160 required:
12161 - project
12162 cloudflare:
12163 type: object
12164 description: Use the Cloudflare API to manage DNS01 challenge records.
12165 properties:
12166 apiKeySecretRef:
12167 type: object
12168 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
12169 properties:
12170 name:
12171 type: string
12172 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12173 key:
12174 type: string
12175 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12176 required:
12177 - name
12178 apiTokenSecretRef:
12179 type: object
12180 description: API token used to authenticate with Cloudflare.
12181 properties:
12182 name:
12183 type: string
12184 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12185 key:
12186 type: string
12187 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12188 required:
12189 - name
12190 email:
12191 type: string
12192 description: Email of the account, only required when using API key based authentication.
12193 cnameStrategy:
12194 type: string
12195 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
12196 enum:
12197 - None
12198 - Follow
12199 digitalocean:
12200 type: object
12201 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
12202 properties:
12203 tokenSecretRef:
12204 type: object
12205 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
12206 properties:
12207 name:
12208 type: string
12209 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12210 key:
12211 type: string
12212 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12213 required:
12214 - name
12215 required:
12216 - tokenSecretRef
12217 rfc2136:
12218 type: object
12219 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
12220 properties:
12221 nameserver:
12222 type: string
12223 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
12224 tsigAlgorithm:
12225 type: string
12226 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
12227 tsigKeyName:
12228 type: string
12229 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
12230 tsigSecretSecretRef:
12231 type: object
12232 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
12233 properties:
12234 name:
12235 type: string
12236 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12237 key:
12238 type: string
12239 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12240 required:
12241 - name
12242 required:
12243 - nameserver
12244 route53:
12245 type: object
12246 description: Use the AWS Route53 API to manage DNS01 challenge records.
12247 properties:
12248 accessKeyID:
12249 type: string
12250 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
12251 hostedZoneID:
12252 type: string
12253 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
12254 region:
12255 type: string
12256 description: Always set the region when using AccessKeyID and SecretAccessKey
12257 role:
12258 type: string
12259 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
12260 secretAccessKeySecretRef:
12261 type: object
12262 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
12263 properties:
12264 name:
12265 type: string
12266 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12267 key:
12268 type: string
12269 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12270 required:
12271 - name
12272 required:
12273 - region
12274 webhook:
12275 type: object
12276 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
12277 properties:
12278 config:
12279 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
12280 x-kubernetes-preserve-unknown-fields: true
12281 groupName:
12282 type: string
12283 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
12284 solverName:
12285 type: string
12286 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
12287 required:
12288 - groupName
12289 - solverName
12290 http01:
12291 type: object
12292 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
12293 properties:
12294 gatewayHTTPRoute:
12295 type: object
12296 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
12297 properties:
12298 labels:
12299 type: object
12300 additionalProperties:
12301 type: string
12302 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
12303 serviceType:
12304 type: string
12305 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
12306 ingress:
12307 type: object
12308 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
12309 properties:
12310 name:
12311 type: string
12312 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
12313 class:
12314 type: string
12315 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
12316 ingressTemplate:
12317 type: object
12318 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges
12319 properties:
12320 metadata:
12321 type: object
12322 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
12323 properties:
12324 labels:
12325 type: object
12326 additionalProperties:
12327 type: string
12328 description: Labels that should be added to the created ACME HTTP01 solver ingress.
12329 annotations:
12330 type: object
12331 additionalProperties:
12332 type: string
12333 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
12334 podTemplate:
12335 type: object
12336 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
12337 properties:
12338 metadata:
12339 type: object
12340 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
12341 properties:
12342 labels:
12343 type: object
12344 additionalProperties:
12345 type: string
12346 description: Labels that should be added to the created ACME HTTP01 solver pods.
12347 annotations:
12348 type: object
12349 additionalProperties:
12350 type: string
12351 description: Annotations that should be added to the create ACME HTTP01 solver pods.
12352 spec:
12353 type: object
12354 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
12355 properties:
12356 serviceAccountName:
12357 type: string
12358 description: If specified, the pod's service account
12359 priorityClassName:
12360 type: string
12361 description: If specified, the pod's priorityClassName.
12362 nodeSelector:
12363 type: object
12364 additionalProperties:
12365 type: string
12366 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
12367 affinity:
12368 type: object
12369 description: If specified, the pod's scheduling constraints
12370 properties:
12371 nodeAffinity:
12372 type: object
12373 description: Describes node affinity scheduling rules for the pod.
12374 properties:
12375 preferredDuringSchedulingIgnoredDuringExecution:
12376 type: array
12377 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
12378 items:
12379 type: object
12380 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
12381 properties:
12382 preference:
12383 type: object
12384 description: A node selector term, associated with the corresponding weight.
12385 properties:
12386 matchExpressions:
12387 type: array
12388 description: A list of node selector requirements by node's labels.
12389 items:
12390 type: object
12391 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12392 properties:
12393 key:
12394 type: string
12395 description: The label key that the selector applies to.
12396 operator:
12397 type: string
12398 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
12399 values:
12400 type: array
12401 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
12402 items:
12403 type: string
12404 required:
12405 - key
12406 - operator
12407 matchFields:
12408 type: array
12409 description: A list of node selector requirements by node's fields.
12410 items:
12411 type: object
12412 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12413 properties:
12414 key:
12415 type: string
12416 description: The label key that the selector applies to.
12417 operator:
12418 type: string
12419 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
12420 values:
12421 type: array
12422 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
12423 items:
12424 type: string
12425 required:
12426 - key
12427 - operator
12428 weight:
12429 type: integer
12430 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
12431 format: int32
12432 required:
12433 - preference
12434 - weight
12435 requiredDuringSchedulingIgnoredDuringExecution:
12436 type: object
12437 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
12438 properties:
12439 nodeSelectorTerms:
12440 type: array
12441 description: Required. A list of node selector terms. The terms are ORed.
12442 items:
12443 type: object
12444 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
12445 properties:
12446 matchExpressions:
12447 type: array
12448 description: A list of node selector requirements by node's labels.
12449 items:
12450 type: object
12451 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12452 properties:
12453 key:
12454 type: string
12455 description: The label key that the selector applies to.
12456 operator:
12457 type: string
12458 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
12459 values:
12460 type: array
12461 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
12462 items:
12463 type: string
12464 required:
12465 - key
12466 - operator
12467 matchFields:
12468 type: array
12469 description: A list of node selector requirements by node's fields.
12470 items:
12471 type: object
12472 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12473 properties:
12474 key:
12475 type: string
12476 description: The label key that the selector applies to.
12477 operator:
12478 type: string
12479 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
12480 values:
12481 type: array
12482 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
12483 items:
12484 type: string
12485 required:
12486 - key
12487 - operator
12488 required:
12489 - nodeSelectorTerms
12490 podAffinity:
12491 type: object
12492 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
12493 properties:
12494 preferredDuringSchedulingIgnoredDuringExecution:
12495 type: array
12496 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
12497 items:
12498 type: object
12499 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
12500 properties:
12501 podAffinityTerm:
12502 type: object
12503 description: Required. A pod affinity term, associated with the corresponding weight.
12504 properties:
12505 labelSelector:
12506 type: object
12507 description: A label query over a set of resources, in this case pods.
12508 properties:
12509 matchExpressions:
12510 type: array
12511 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
12512 items:
12513 type: object
12514 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12515 properties:
12516 key:
12517 type: string
12518 description: key is the label key that the selector applies to.
12519 operator:
12520 type: string
12521 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
12522 values:
12523 type: array
12524 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
12525 items:
12526 type: string
12527 required:
12528 - key
12529 - operator
12530 matchLabels:
12531 type: object
12532 additionalProperties:
12533 type: string
12534 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
12535 namespaceSelector:
12536 type: object
12537 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
12538 properties:
12539 matchExpressions:
12540 type: array
12541 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
12542 items:
12543 type: object
12544 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12545 properties:
12546 key:
12547 type: string
12548 description: key is the label key that the selector applies to.
12549 operator:
12550 type: string
12551 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
12552 values:
12553 type: array
12554 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
12555 items:
12556 type: string
12557 required:
12558 - key
12559 - operator
12560 matchLabels:
12561 type: object
12562 additionalProperties:
12563 type: string
12564 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
12565 namespaces:
12566 type: array
12567 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
12568 items:
12569 type: string
12570 topologyKey:
12571 type: string
12572 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
12573 required:
12574 - topologyKey
12575 weight:
12576 type: integer
12577 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
12578 format: int32
12579 required:
12580 - podAffinityTerm
12581 - weight
12582 requiredDuringSchedulingIgnoredDuringExecution:
12583 type: array
12584 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
12585 items:
12586 type: object
12587 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
12588 properties:
12589 labelSelector:
12590 type: object
12591 description: A label query over a set of resources, in this case pods.
12592 properties:
12593 matchExpressions:
12594 type: array
12595 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
12596 items:
12597 type: object
12598 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12599 properties:
12600 key:
12601 type: string
12602 description: key is the label key that the selector applies to.
12603 operator:
12604 type: string
12605 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
12606 values:
12607 type: array
12608 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
12609 items:
12610 type: string
12611 required:
12612 - key
12613 - operator
12614 matchLabels:
12615 type: object
12616 additionalProperties:
12617 type: string
12618 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
12619 namespaceSelector:
12620 type: object
12621 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
12622 properties:
12623 matchExpressions:
12624 type: array
12625 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
12626 items:
12627 type: object
12628 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12629 properties:
12630 key:
12631 type: string
12632 description: key is the label key that the selector applies to.
12633 operator:
12634 type: string
12635 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
12636 values:
12637 type: array
12638 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
12639 items:
12640 type: string
12641 required:
12642 - key
12643 - operator
12644 matchLabels:
12645 type: object
12646 additionalProperties:
12647 type: string
12648 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
12649 namespaces:
12650 type: array
12651 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
12652 items:
12653 type: string
12654 topologyKey:
12655 type: string
12656 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
12657 required:
12658 - topologyKey
12659 podAntiAffinity:
12660 type: object
12661 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
12662 properties:
12663 preferredDuringSchedulingIgnoredDuringExecution:
12664 type: array
12665 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
12666 items:
12667 type: object
12668 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
12669 properties:
12670 podAffinityTerm:
12671 type: object
12672 description: Required. A pod affinity term, associated with the corresponding weight.
12673 properties:
12674 labelSelector:
12675 type: object
12676 description: A label query over a set of resources, in this case pods.
12677 properties:
12678 matchExpressions:
12679 type: array
12680 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
12681 items:
12682 type: object
12683 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12684 properties:
12685 key:
12686 type: string
12687 description: key is the label key that the selector applies to.
12688 operator:
12689 type: string
12690 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
12691 values:
12692 type: array
12693 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
12694 items:
12695 type: string
12696 required:
12697 - key
12698 - operator
12699 matchLabels:
12700 type: object
12701 additionalProperties:
12702 type: string
12703 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
12704 namespaceSelector:
12705 type: object
12706 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
12707 properties:
12708 matchExpressions:
12709 type: array
12710 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
12711 items:
12712 type: object
12713 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12714 properties:
12715 key:
12716 type: string
12717 description: key is the label key that the selector applies to.
12718 operator:
12719 type: string
12720 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
12721 values:
12722 type: array
12723 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
12724 items:
12725 type: string
12726 required:
12727 - key
12728 - operator
12729 matchLabels:
12730 type: object
12731 additionalProperties:
12732 type: string
12733 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
12734 namespaces:
12735 type: array
12736 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
12737 items:
12738 type: string
12739 topologyKey:
12740 type: string
12741 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
12742 required:
12743 - topologyKey
12744 weight:
12745 type: integer
12746 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
12747 format: int32
12748 required:
12749 - podAffinityTerm
12750 - weight
12751 requiredDuringSchedulingIgnoredDuringExecution:
12752 type: array
12753 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
12754 items:
12755 type: object
12756 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
12757 properties:
12758 labelSelector:
12759 type: object
12760 description: A label query over a set of resources, in this case pods.
12761 properties:
12762 matchExpressions:
12763 type: array
12764 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
12765 items:
12766 type: object
12767 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12768 properties:
12769 key:
12770 type: string
12771 description: key is the label key that the selector applies to.
12772 operator:
12773 type: string
12774 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
12775 values:
12776 type: array
12777 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
12778 items:
12779 type: string
12780 required:
12781 - key
12782 - operator
12783 matchLabels:
12784 type: object
12785 additionalProperties:
12786 type: string
12787 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
12788 namespaceSelector:
12789 type: object
12790 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
12791 properties:
12792 matchExpressions:
12793 type: array
12794 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
12795 items:
12796 type: object
12797 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12798 properties:
12799 key:
12800 type: string
12801 description: key is the label key that the selector applies to.
12802 operator:
12803 type: string
12804 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
12805 values:
12806 type: array
12807 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
12808 items:
12809 type: string
12810 required:
12811 - key
12812 - operator
12813 matchLabels:
12814 type: object
12815 additionalProperties:
12816 type: string
12817 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
12818 namespaces:
12819 type: array
12820 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
12821 items:
12822 type: string
12823 topologyKey:
12824 type: string
12825 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
12826 required:
12827 - topologyKey
12828 tolerations:
12829 type: array
12830 description: If specified, the pod's tolerations.
12831 items:
12832 type: object
12833 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
12834 properties:
12835 value:
12836 type: string
12837 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
12838 effect:
12839 type: string
12840 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
12841 key:
12842 type: string
12843 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
12844 operator:
12845 type: string
12846 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
12847 tolerationSeconds:
12848 type: integer
12849 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
12850 format: int64
12851 serviceType:
12852 type: string
12853 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
12854 required:
12855 - privateKeySecretRef
12856 - server
12857 ca:
12858 type: object
12859 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
12860 properties:
12861 crlDistributionPoints:
12862 type: array
12863 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
12864 items:
12865 type: string
12866 ocspServers:
12867 type: array
12868 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
12869 items:
12870 type: string
12871 secretName:
12872 type: string
12873 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
12874 required:
12875 - secretName
12876 selfSigned:
12877 type: object
12878 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
12879 properties:
12880 crlDistributionPoints:
12881 type: array
12882 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
12883 items:
12884 type: string
12885 vault:
12886 type: object
12887 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
12888 properties:
12889 namespace:
12890 type: string
12891 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
12892 auth:
12893 type: object
12894 description: Auth configures how cert-manager authenticates with the Vault server.
12895 properties:
12896 appRole:
12897 type: object
12898 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
12899 properties:
12900 secretRef:
12901 type: object
12902 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
12903 properties:
12904 name:
12905 type: string
12906 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12907 key:
12908 type: string
12909 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12910 required:
12911 - name
12912 path:
12913 type: string
12914 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
12915 roleId:
12916 type: string
12917 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
12918 required:
12919 - path
12920 - roleId
12921 - secretRef
12922 kubernetes:
12923 type: object
12924 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
12925 properties:
12926 mountPath:
12927 type: string
12928 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
12929 secretRef:
12930 type: object
12931 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
12932 properties:
12933 name:
12934 type: string
12935 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12936 key:
12937 type: string
12938 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12939 required:
12940 - name
12941 role:
12942 type: string
12943 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
12944 required:
12945 - role
12946 - secretRef
12947 tokenSecretRef:
12948 type: object
12949 description: TokenSecretRef authenticates with Vault by presenting a token.
12950 properties:
12951 name:
12952 type: string
12953 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12954 key:
12955 type: string
12956 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12957 required:
12958 - name
12959 caBundle:
12960 type: string
12961 description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
12962 format: byte
12963 path:
12964 type: string
12965 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
12966 server:
12967 type: string
12968 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
12969 required:
12970 - auth
12971 - path
12972 - server
12973 venafi:
12974 type: object
12975 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
12976 properties:
12977 cloud:
12978 type: object
12979 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
12980 properties:
12981 apiTokenSecretRef:
12982 type: object
12983 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
12984 properties:
12985 name:
12986 type: string
12987 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12988 key:
12989 type: string
12990 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12991 required:
12992 - name
12993 url:
12994 type: string
12995 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
12996 required:
12997 - apiTokenSecretRef
12998 tpp:
12999 type: object
13000 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
13001 properties:
13002 caBundle:
13003 type: string
13004 description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
13005 format: byte
13006 credentialsRef:
13007 type: object
13008 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
13009 properties:
13010 name:
13011 type: string
13012 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13013 required:
13014 - name
13015 url:
13016 type: string
13017 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
13018 required:
13019 - credentialsRef
13020 - url
13021 zone:
13022 type: string
13023 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
13024 required:
13025 - zone
13026 status:
13027 type: object
13028 description: Status of the Issuer. This is set and managed automatically.
13029 properties:
13030 acme:
13031 type: object
13032 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
13033 properties:
13034 lastRegisteredEmail:
13035 type: string
13036 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
13037 uri:
13038 type: string
13039 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
13040 conditions:
13041 type: array
13042 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
13043 items:
13044 type: object
13045 description: IssuerCondition contains condition information for an Issuer.
13046 properties:
13047 type:
13048 type: string
13049 description: Type of the condition, known values are (`Ready`).
13050 status:
13051 type: string
13052 description: Status of the condition, one of (`True`, `False`, `Unknown`).
13053 enum:
13054 - "True"
13055 - "False"
13056 - Unknown
13057 lastTransitionTime:
13058 type: string
13059 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
13060 format: date-time
13061 message:
13062 type: string
13063 description: Message is a human readable description of the details of the last transition, complementing reason.
13064 observedGeneration:
13065 type: integer
13066 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
13067 format: int64
13068 reason:
13069 type: string
13070 description: Reason is a brief machine readable explanation for the condition's last transition.
13071 required:
13072 - status
13073 - type
13074 served: true
13075 storage: false
13076 subresources:
13077 status: {}
13078 - name: v1alpha3
13079 additionalPrinterColumns:
13080 - name: Ready
13081 type: string
13082 jsonPath: .status.conditions[?(@.type=="Ready")].status
13083 - name: Status
13084 type: string
13085 priority: 1
13086 jsonPath: .status.conditions[?(@.type=="Ready")].message
13087 - name: Age
13088 type: date
13089 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
13090 jsonPath: .metadata.creationTimestamp
13091 schema:
13092 openAPIV3Schema:
13093 type: object
13094 description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace.
13095 properties:
13096 apiVersion:
13097 type: string
13098 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
13099 kind:
13100 type: string
13101 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
13102 metadata:
13103 type: object
13104 spec:
13105 type: object
13106 description: Desired state of the Issuer resource.
13107 properties:
13108 acme:
13109 type: object
13110 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
13111 properties:
13112 disableAccountKeyGeneration:
13113 type: boolean
13114 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
13115 email:
13116 type: string
13117 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
13118 enableDurationFeature:
13119 type: boolean
13120 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
13121 externalAccountBinding:
13122 type: object
13123 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
13124 properties:
13125 keyAlgorithm:
13126 type: string
13127 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
13128 enum:
13129 - HS256
13130 - HS384
13131 - HS512
13132 keyID:
13133 type: string
13134 description: keyID is the ID of the CA key that the External Account is bound to.
13135 keySecretRef:
13136 type: object
13137 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
13138 properties:
13139 name:
13140 type: string
13141 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13142 key:
13143 type: string
13144 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13145 required:
13146 - name
13147 required:
13148 - keyID
13149 - keySecretRef
13150 preferredChain:
13151 type: string
13152 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
13153 maxLength: 64
13154 privateKeySecretRef:
13155 type: object
13156 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
13157 properties:
13158 name:
13159 type: string
13160 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13161 key:
13162 type: string
13163 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13164 required:
13165 - name
13166 server:
13167 type: string
13168 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
13169 skipTLSVerify:
13170 type: boolean
13171 description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
13172 solvers:
13173 type: array
13174 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
13175 items:
13176 type: object
13177 description: Configures an issuer to solve challenges using the specified options. Only one of HTTP01 or DNS01 may be provided.
13178 properties:
13179 selector:
13180 type: object
13181 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
13182 properties:
13183 dnsNames:
13184 type: array
13185 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
13186 items:
13187 type: string
13188 dnsZones:
13189 type: array
13190 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
13191 items:
13192 type: string
13193 matchLabels:
13194 type: object
13195 additionalProperties:
13196 type: string
13197 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
13198 dns01:
13199 type: object
13200 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
13201 properties:
13202 acmedns:
13203 type: object
13204 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
13205 properties:
13206 accountSecretRef:
13207 type: object
13208 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
13209 properties:
13210 name:
13211 type: string
13212 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13213 key:
13214 type: string
13215 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13216 required:
13217 - name
13218 host:
13219 type: string
13220 required:
13221 - accountSecretRef
13222 - host
13223 akamai:
13224 type: object
13225 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
13226 properties:
13227 accessTokenSecretRef:
13228 type: object
13229 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
13230 properties:
13231 name:
13232 type: string
13233 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13234 key:
13235 type: string
13236 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13237 required:
13238 - name
13239 clientSecretSecretRef:
13240 type: object
13241 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
13242 properties:
13243 name:
13244 type: string
13245 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13246 key:
13247 type: string
13248 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13249 required:
13250 - name
13251 clientTokenSecretRef:
13252 type: object
13253 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
13254 properties:
13255 name:
13256 type: string
13257 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13258 key:
13259 type: string
13260 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13261 required:
13262 - name
13263 serviceConsumerDomain:
13264 type: string
13265 required:
13266 - accessTokenSecretRef
13267 - clientSecretSecretRef
13268 - clientTokenSecretRef
13269 - serviceConsumerDomain
13270 azuredns:
13271 type: object
13272 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
13273 properties:
13274 clientID:
13275 type: string
13276 description: if both this and ClientSecret are left unset MSI will be used
13277 clientSecretSecretRef:
13278 type: object
13279 description: if both this and ClientID are left unset MSI will be used
13280 properties:
13281 name:
13282 type: string
13283 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13284 key:
13285 type: string
13286 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13287 required:
13288 - name
13289 environment:
13290 type: string
13291 enum:
13292 - AzurePublicCloud
13293 - AzureChinaCloud
13294 - AzureGermanCloud
13295 - AzureUSGovernmentCloud
13296 hostedZoneName:
13297 type: string
13298 resourceGroupName:
13299 type: string
13300 subscriptionID:
13301 type: string
13302 tenantID:
13303 type: string
13304 description: when specifying ClientID and ClientSecret then this field is also needed
13305 required:
13306 - resourceGroupName
13307 - subscriptionID
13308 clouddns:
13309 type: object
13310 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
13311 properties:
13312 hostedZoneName:
13313 type: string
13314 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
13315 project:
13316 type: string
13317 serviceAccountSecretRef:
13318 type: object
13319 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
13320 properties:
13321 name:
13322 type: string
13323 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13324 key:
13325 type: string
13326 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13327 required:
13328 - name
13329 required:
13330 - project
13331 cloudflare:
13332 type: object
13333 description: Use the Cloudflare API to manage DNS01 challenge records.
13334 properties:
13335 apiKeySecretRef:
13336 type: object
13337 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
13338 properties:
13339 name:
13340 type: string
13341 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13342 key:
13343 type: string
13344 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13345 required:
13346 - name
13347 apiTokenSecretRef:
13348 type: object
13349 description: API token used to authenticate with Cloudflare.
13350 properties:
13351 name:
13352 type: string
13353 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13354 key:
13355 type: string
13356 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13357 required:
13358 - name
13359 email:
13360 type: string
13361 description: Email of the account, only required when using API key based authentication.
13362 cnameStrategy:
13363 type: string
13364 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
13365 enum:
13366 - None
13367 - Follow
13368 digitalocean:
13369 type: object
13370 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
13371 properties:
13372 tokenSecretRef:
13373 type: object
13374 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
13375 properties:
13376 name:
13377 type: string
13378 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13379 key:
13380 type: string
13381 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13382 required:
13383 - name
13384 required:
13385 - tokenSecretRef
13386 rfc2136:
13387 type: object
13388 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
13389 properties:
13390 nameserver:
13391 type: string
13392 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
13393 tsigAlgorithm:
13394 type: string
13395 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
13396 tsigKeyName:
13397 type: string
13398 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
13399 tsigSecretSecretRef:
13400 type: object
13401 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
13402 properties:
13403 name:
13404 type: string
13405 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13406 key:
13407 type: string
13408 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13409 required:
13410 - name
13411 required:
13412 - nameserver
13413 route53:
13414 type: object
13415 description: Use the AWS Route53 API to manage DNS01 challenge records.
13416 properties:
13417 accessKeyID:
13418 type: string
13419 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
13420 hostedZoneID:
13421 type: string
13422 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
13423 region:
13424 type: string
13425 description: Always set the region when using AccessKeyID and SecretAccessKey
13426 role:
13427 type: string
13428 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
13429 secretAccessKeySecretRef:
13430 type: object
13431 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
13432 properties:
13433 name:
13434 type: string
13435 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13436 key:
13437 type: string
13438 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13439 required:
13440 - name
13441 required:
13442 - region
13443 webhook:
13444 type: object
13445 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
13446 properties:
13447 config:
13448 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
13449 x-kubernetes-preserve-unknown-fields: true
13450 groupName:
13451 type: string
13452 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
13453 solverName:
13454 type: string
13455 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
13456 required:
13457 - groupName
13458 - solverName
13459 http01:
13460 type: object
13461 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
13462 properties:
13463 gatewayHTTPRoute:
13464 type: object
13465 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
13466 properties:
13467 labels:
13468 type: object
13469 additionalProperties:
13470 type: string
13471 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
13472 serviceType:
13473 type: string
13474 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
13475 ingress:
13476 type: object
13477 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
13478 properties:
13479 name:
13480 type: string
13481 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
13482 class:
13483 type: string
13484 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
13485 ingressTemplate:
13486 type: object
13487 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges
13488 properties:
13489 metadata:
13490 type: object
13491 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
13492 properties:
13493 labels:
13494 type: object
13495 additionalProperties:
13496 type: string
13497 description: Labels that should be added to the created ACME HTTP01 solver ingress.
13498 annotations:
13499 type: object
13500 additionalProperties:
13501 type: string
13502 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
13503 podTemplate:
13504 type: object
13505 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
13506 properties:
13507 metadata:
13508 type: object
13509 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
13510 properties:
13511 labels:
13512 type: object
13513 additionalProperties:
13514 type: string
13515 description: Labels that should be added to the created ACME HTTP01 solver pods.
13516 annotations:
13517 type: object
13518 additionalProperties:
13519 type: string
13520 description: Annotations that should be added to the create ACME HTTP01 solver pods.
13521 spec:
13522 type: object
13523 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
13524 properties:
13525 serviceAccountName:
13526 type: string
13527 description: If specified, the pod's service account
13528 priorityClassName:
13529 type: string
13530 description: If specified, the pod's priorityClassName.
13531 nodeSelector:
13532 type: object
13533 additionalProperties:
13534 type: string
13535 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
13536 affinity:
13537 type: object
13538 description: If specified, the pod's scheduling constraints
13539 properties:
13540 nodeAffinity:
13541 type: object
13542 description: Describes node affinity scheduling rules for the pod.
13543 properties:
13544 preferredDuringSchedulingIgnoredDuringExecution:
13545 type: array
13546 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
13547 items:
13548 type: object
13549 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
13550 properties:
13551 preference:
13552 type: object
13553 description: A node selector term, associated with the corresponding weight.
13554 properties:
13555 matchExpressions:
13556 type: array
13557 description: A list of node selector requirements by node's labels.
13558 items:
13559 type: object
13560 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13561 properties:
13562 key:
13563 type: string
13564 description: The label key that the selector applies to.
13565 operator:
13566 type: string
13567 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
13568 values:
13569 type: array
13570 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
13571 items:
13572 type: string
13573 required:
13574 - key
13575 - operator
13576 matchFields:
13577 type: array
13578 description: A list of node selector requirements by node's fields.
13579 items:
13580 type: object
13581 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13582 properties:
13583 key:
13584 type: string
13585 description: The label key that the selector applies to.
13586 operator:
13587 type: string
13588 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
13589 values:
13590 type: array
13591 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
13592 items:
13593 type: string
13594 required:
13595 - key
13596 - operator
13597 weight:
13598 type: integer
13599 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
13600 format: int32
13601 required:
13602 - preference
13603 - weight
13604 requiredDuringSchedulingIgnoredDuringExecution:
13605 type: object
13606 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
13607 properties:
13608 nodeSelectorTerms:
13609 type: array
13610 description: Required. A list of node selector terms. The terms are ORed.
13611 items:
13612 type: object
13613 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
13614 properties:
13615 matchExpressions:
13616 type: array
13617 description: A list of node selector requirements by node's labels.
13618 items:
13619 type: object
13620 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13621 properties:
13622 key:
13623 type: string
13624 description: The label key that the selector applies to.
13625 operator:
13626 type: string
13627 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
13628 values:
13629 type: array
13630 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
13631 items:
13632 type: string
13633 required:
13634 - key
13635 - operator
13636 matchFields:
13637 type: array
13638 description: A list of node selector requirements by node's fields.
13639 items:
13640 type: object
13641 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13642 properties:
13643 key:
13644 type: string
13645 description: The label key that the selector applies to.
13646 operator:
13647 type: string
13648 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
13649 values:
13650 type: array
13651 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
13652 items:
13653 type: string
13654 required:
13655 - key
13656 - operator
13657 required:
13658 - nodeSelectorTerms
13659 podAffinity:
13660 type: object
13661 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
13662 properties:
13663 preferredDuringSchedulingIgnoredDuringExecution:
13664 type: array
13665 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
13666 items:
13667 type: object
13668 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
13669 properties:
13670 podAffinityTerm:
13671 type: object
13672 description: Required. A pod affinity term, associated with the corresponding weight.
13673 properties:
13674 labelSelector:
13675 type: object
13676 description: A label query over a set of resources, in this case pods.
13677 properties:
13678 matchExpressions:
13679 type: array
13680 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
13681 items:
13682 type: object
13683 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13684 properties:
13685 key:
13686 type: string
13687 description: key is the label key that the selector applies to.
13688 operator:
13689 type: string
13690 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
13691 values:
13692 type: array
13693 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
13694 items:
13695 type: string
13696 required:
13697 - key
13698 - operator
13699 matchLabels:
13700 type: object
13701 additionalProperties:
13702 type: string
13703 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
13704 namespaceSelector:
13705 type: object
13706 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
13707 properties:
13708 matchExpressions:
13709 type: array
13710 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
13711 items:
13712 type: object
13713 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13714 properties:
13715 key:
13716 type: string
13717 description: key is the label key that the selector applies to.
13718 operator:
13719 type: string
13720 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
13721 values:
13722 type: array
13723 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
13724 items:
13725 type: string
13726 required:
13727 - key
13728 - operator
13729 matchLabels:
13730 type: object
13731 additionalProperties:
13732 type: string
13733 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
13734 namespaces:
13735 type: array
13736 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
13737 items:
13738 type: string
13739 topologyKey:
13740 type: string
13741 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
13742 required:
13743 - topologyKey
13744 weight:
13745 type: integer
13746 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
13747 format: int32
13748 required:
13749 - podAffinityTerm
13750 - weight
13751 requiredDuringSchedulingIgnoredDuringExecution:
13752 type: array
13753 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
13754 items:
13755 type: object
13756 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
13757 properties:
13758 labelSelector:
13759 type: object
13760 description: A label query over a set of resources, in this case pods.
13761 properties:
13762 matchExpressions:
13763 type: array
13764 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
13765 items:
13766 type: object
13767 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13768 properties:
13769 key:
13770 type: string
13771 description: key is the label key that the selector applies to.
13772 operator:
13773 type: string
13774 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
13775 values:
13776 type: array
13777 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
13778 items:
13779 type: string
13780 required:
13781 - key
13782 - operator
13783 matchLabels:
13784 type: object
13785 additionalProperties:
13786 type: string
13787 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
13788 namespaceSelector:
13789 type: object
13790 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
13791 properties:
13792 matchExpressions:
13793 type: array
13794 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
13795 items:
13796 type: object
13797 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13798 properties:
13799 key:
13800 type: string
13801 description: key is the label key that the selector applies to.
13802 operator:
13803 type: string
13804 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
13805 values:
13806 type: array
13807 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
13808 items:
13809 type: string
13810 required:
13811 - key
13812 - operator
13813 matchLabels:
13814 type: object
13815 additionalProperties:
13816 type: string
13817 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
13818 namespaces:
13819 type: array
13820 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
13821 items:
13822 type: string
13823 topologyKey:
13824 type: string
13825 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
13826 required:
13827 - topologyKey
13828 podAntiAffinity:
13829 type: object
13830 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
13831 properties:
13832 preferredDuringSchedulingIgnoredDuringExecution:
13833 type: array
13834 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
13835 items:
13836 type: object
13837 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
13838 properties:
13839 podAffinityTerm:
13840 type: object
13841 description: Required. A pod affinity term, associated with the corresponding weight.
13842 properties:
13843 labelSelector:
13844 type: object
13845 description: A label query over a set of resources, in this case pods.
13846 properties:
13847 matchExpressions:
13848 type: array
13849 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
13850 items:
13851 type: object
13852 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13853 properties:
13854 key:
13855 type: string
13856 description: key is the label key that the selector applies to.
13857 operator:
13858 type: string
13859 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
13860 values:
13861 type: array
13862 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
13863 items:
13864 type: string
13865 required:
13866 - key
13867 - operator
13868 matchLabels:
13869 type: object
13870 additionalProperties:
13871 type: string
13872 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
13873 namespaceSelector:
13874 type: object
13875 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
13876 properties:
13877 matchExpressions:
13878 type: array
13879 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
13880 items:
13881 type: object
13882 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13883 properties:
13884 key:
13885 type: string
13886 description: key is the label key that the selector applies to.
13887 operator:
13888 type: string
13889 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
13890 values:
13891 type: array
13892 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
13893 items:
13894 type: string
13895 required:
13896 - key
13897 - operator
13898 matchLabels:
13899 type: object
13900 additionalProperties:
13901 type: string
13902 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
13903 namespaces:
13904 type: array
13905 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
13906 items:
13907 type: string
13908 topologyKey:
13909 type: string
13910 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
13911 required:
13912 - topologyKey
13913 weight:
13914 type: integer
13915 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
13916 format: int32
13917 required:
13918 - podAffinityTerm
13919 - weight
13920 requiredDuringSchedulingIgnoredDuringExecution:
13921 type: array
13922 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
13923 items:
13924 type: object
13925 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
13926 properties:
13927 labelSelector:
13928 type: object
13929 description: A label query over a set of resources, in this case pods.
13930 properties:
13931 matchExpressions:
13932 type: array
13933 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
13934 items:
13935 type: object
13936 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13937 properties:
13938 key:
13939 type: string
13940 description: key is the label key that the selector applies to.
13941 operator:
13942 type: string
13943 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
13944 values:
13945 type: array
13946 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
13947 items:
13948 type: string
13949 required:
13950 - key
13951 - operator
13952 matchLabels:
13953 type: object
13954 additionalProperties:
13955 type: string
13956 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
13957 namespaceSelector:
13958 type: object
13959 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
13960 properties:
13961 matchExpressions:
13962 type: array
13963 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
13964 items:
13965 type: object
13966 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13967 properties:
13968 key:
13969 type: string
13970 description: key is the label key that the selector applies to.
13971 operator:
13972 type: string
13973 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
13974 values:
13975 type: array
13976 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
13977 items:
13978 type: string
13979 required:
13980 - key
13981 - operator
13982 matchLabels:
13983 type: object
13984 additionalProperties:
13985 type: string
13986 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
13987 namespaces:
13988 type: array
13989 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
13990 items:
13991 type: string
13992 topologyKey:
13993 type: string
13994 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
13995 required:
13996 - topologyKey
13997 tolerations:
13998 type: array
13999 description: If specified, the pod's tolerations.
14000 items:
14001 type: object
14002 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
14003 properties:
14004 value:
14005 type: string
14006 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
14007 effect:
14008 type: string
14009 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
14010 key:
14011 type: string
14012 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
14013 operator:
14014 type: string
14015 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
14016 tolerationSeconds:
14017 type: integer
14018 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
14019 format: int64
14020 serviceType:
14021 type: string
14022 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
14023 required:
14024 - privateKeySecretRef
14025 - server
14026 ca:
14027 type: object
14028 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
14029 properties:
14030 crlDistributionPoints:
14031 type: array
14032 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
14033 items:
14034 type: string
14035 ocspServers:
14036 type: array
14037 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
14038 items:
14039 type: string
14040 secretName:
14041 type: string
14042 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
14043 required:
14044 - secretName
14045 selfSigned:
14046 type: object
14047 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
14048 properties:
14049 crlDistributionPoints:
14050 type: array
14051 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
14052 items:
14053 type: string
14054 vault:
14055 type: object
14056 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
14057 properties:
14058 namespace:
14059 type: string
14060 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
14061 auth:
14062 type: object
14063 description: Auth configures how cert-manager authenticates with the Vault server.
14064 properties:
14065 appRole:
14066 type: object
14067 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
14068 properties:
14069 secretRef:
14070 type: object
14071 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
14072 properties:
14073 name:
14074 type: string
14075 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14076 key:
14077 type: string
14078 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14079 required:
14080 - name
14081 path:
14082 type: string
14083 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
14084 roleId:
14085 type: string
14086 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
14087 required:
14088 - path
14089 - roleId
14090 - secretRef
14091 kubernetes:
14092 type: object
14093 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
14094 properties:
14095 mountPath:
14096 type: string
14097 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
14098 secretRef:
14099 type: object
14100 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
14101 properties:
14102 name:
14103 type: string
14104 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14105 key:
14106 type: string
14107 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14108 required:
14109 - name
14110 role:
14111 type: string
14112 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
14113 required:
14114 - role
14115 - secretRef
14116 tokenSecretRef:
14117 type: object
14118 description: TokenSecretRef authenticates with Vault by presenting a token.
14119 properties:
14120 name:
14121 type: string
14122 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14123 key:
14124 type: string
14125 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14126 required:
14127 - name
14128 caBundle:
14129 type: string
14130 description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
14131 format: byte
14132 path:
14133 type: string
14134 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
14135 server:
14136 type: string
14137 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
14138 required:
14139 - auth
14140 - path
14141 - server
14142 venafi:
14143 type: object
14144 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
14145 properties:
14146 cloud:
14147 type: object
14148 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
14149 properties:
14150 apiTokenSecretRef:
14151 type: object
14152 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
14153 properties:
14154 name:
14155 type: string
14156 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14157 key:
14158 type: string
14159 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14160 required:
14161 - name
14162 url:
14163 type: string
14164 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
14165 required:
14166 - apiTokenSecretRef
14167 tpp:
14168 type: object
14169 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
14170 properties:
14171 caBundle:
14172 type: string
14173 description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
14174 format: byte
14175 credentialsRef:
14176 type: object
14177 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
14178 properties:
14179 name:
14180 type: string
14181 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14182 required:
14183 - name
14184 url:
14185 type: string
14186 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
14187 required:
14188 - credentialsRef
14189 - url
14190 zone:
14191 type: string
14192 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
14193 required:
14194 - zone
14195 status:
14196 type: object
14197 description: Status of the Issuer. This is set and managed automatically.
14198 properties:
14199 acme:
14200 type: object
14201 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
14202 properties:
14203 lastRegisteredEmail:
14204 type: string
14205 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
14206 uri:
14207 type: string
14208 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
14209 conditions:
14210 type: array
14211 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
14212 items:
14213 type: object
14214 description: IssuerCondition contains condition information for an Issuer.
14215 properties:
14216 type:
14217 type: string
14218 description: Type of the condition, known values are (`Ready`).
14219 status:
14220 type: string
14221 description: Status of the condition, one of (`True`, `False`, `Unknown`).
14222 enum:
14223 - "True"
14224 - "False"
14225 - Unknown
14226 lastTransitionTime:
14227 type: string
14228 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
14229 format: date-time
14230 message:
14231 type: string
14232 description: Message is a human readable description of the details of the last transition, complementing reason.
14233 observedGeneration:
14234 type: integer
14235 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
14236 format: int64
14237 reason:
14238 type: string
14239 description: Reason is a brief machine readable explanation for the condition's last transition.
14240 required:
14241 - status
14242 - type
14243 served: true
14244 storage: false
14245 subresources:
14246 status: {}
14247 - name: v1beta1
14248 additionalPrinterColumns:
14249 - name: Ready
14250 type: string
14251 jsonPath: .status.conditions[?(@.type=="Ready")].status
14252 - name: Status
14253 type: string
14254 priority: 1
14255 jsonPath: .status.conditions[?(@.type=="Ready")].message
14256 - name: Age
14257 type: date
14258 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
14259 jsonPath: .metadata.creationTimestamp
14260 schema:
14261 openAPIV3Schema:
14262 type: object
14263 description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace.
14264 properties:
14265 apiVersion:
14266 type: string
14267 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
14268 kind:
14269 type: string
14270 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
14271 metadata:
14272 type: object
14273 spec:
14274 type: object
14275 description: Desired state of the Issuer resource.
14276 properties:
14277 acme:
14278 type: object
14279 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
14280 properties:
14281 disableAccountKeyGeneration:
14282 type: boolean
14283 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
14284 email:
14285 type: string
14286 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
14287 enableDurationFeature:
14288 type: boolean
14289 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
14290 externalAccountBinding:
14291 type: object
14292 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
14293 properties:
14294 keyAlgorithm:
14295 type: string
14296 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
14297 enum:
14298 - HS256
14299 - HS384
14300 - HS512
14301 keyID:
14302 type: string
14303 description: keyID is the ID of the CA key that the External Account is bound to.
14304 keySecretRef:
14305 type: object
14306 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
14307 properties:
14308 name:
14309 type: string
14310 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14311 key:
14312 type: string
14313 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14314 required:
14315 - name
14316 required:
14317 - keyID
14318 - keySecretRef
14319 preferredChain:
14320 type: string
14321 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
14322 maxLength: 64
14323 privateKeySecretRef:
14324 type: object
14325 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
14326 properties:
14327 name:
14328 type: string
14329 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14330 key:
14331 type: string
14332 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14333 required:
14334 - name
14335 server:
14336 type: string
14337 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
14338 skipTLSVerify:
14339 type: boolean
14340 description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
14341 solvers:
14342 type: array
14343 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
14344 items:
14345 type: object
14346 description: Configures an issuer to solve challenges using the specified options. Only one of HTTP01 or DNS01 may be provided.
14347 properties:
14348 selector:
14349 type: object
14350 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
14351 properties:
14352 dnsNames:
14353 type: array
14354 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
14355 items:
14356 type: string
14357 dnsZones:
14358 type: array
14359 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
14360 items:
14361 type: string
14362 matchLabels:
14363 type: object
14364 additionalProperties:
14365 type: string
14366 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
14367 dns01:
14368 type: object
14369 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
14370 properties:
14371 acmeDNS:
14372 type: object
14373 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
14374 properties:
14375 accountSecretRef:
14376 type: object
14377 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
14378 properties:
14379 name:
14380 type: string
14381 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14382 key:
14383 type: string
14384 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14385 required:
14386 - name
14387 host:
14388 type: string
14389 required:
14390 - accountSecretRef
14391 - host
14392 akamai:
14393 type: object
14394 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
14395 properties:
14396 accessTokenSecretRef:
14397 type: object
14398 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
14399 properties:
14400 name:
14401 type: string
14402 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14403 key:
14404 type: string
14405 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14406 required:
14407 - name
14408 clientSecretSecretRef:
14409 type: object
14410 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
14411 properties:
14412 name:
14413 type: string
14414 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14415 key:
14416 type: string
14417 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14418 required:
14419 - name
14420 clientTokenSecretRef:
14421 type: object
14422 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
14423 properties:
14424 name:
14425 type: string
14426 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14427 key:
14428 type: string
14429 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14430 required:
14431 - name
14432 serviceConsumerDomain:
14433 type: string
14434 required:
14435 - accessTokenSecretRef
14436 - clientSecretSecretRef
14437 - clientTokenSecretRef
14438 - serviceConsumerDomain
14439 azureDNS:
14440 type: object
14441 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
14442 properties:
14443 clientID:
14444 type: string
14445 description: if both this and ClientSecret are left unset MSI will be used
14446 clientSecretSecretRef:
14447 type: object
14448 description: if both this and ClientID are left unset MSI will be used
14449 properties:
14450 name:
14451 type: string
14452 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14453 key:
14454 type: string
14455 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14456 required:
14457 - name
14458 environment:
14459 type: string
14460 enum:
14461 - AzurePublicCloud
14462 - AzureChinaCloud
14463 - AzureGermanCloud
14464 - AzureUSGovernmentCloud
14465 hostedZoneName:
14466 type: string
14467 resourceGroupName:
14468 type: string
14469 subscriptionID:
14470 type: string
14471 tenantID:
14472 type: string
14473 description: when specifying ClientID and ClientSecret then this field is also needed
14474 required:
14475 - resourceGroupName
14476 - subscriptionID
14477 cloudDNS:
14478 type: object
14479 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
14480 properties:
14481 hostedZoneName:
14482 type: string
14483 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
14484 project:
14485 type: string
14486 serviceAccountSecretRef:
14487 type: object
14488 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
14489 properties:
14490 name:
14491 type: string
14492 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14493 key:
14494 type: string
14495 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14496 required:
14497 - name
14498 required:
14499 - project
14500 cloudflare:
14501 type: object
14502 description: Use the Cloudflare API to manage DNS01 challenge records.
14503 properties:
14504 apiKeySecretRef:
14505 type: object
14506 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
14507 properties:
14508 name:
14509 type: string
14510 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14511 key:
14512 type: string
14513 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14514 required:
14515 - name
14516 apiTokenSecretRef:
14517 type: object
14518 description: API token used to authenticate with Cloudflare.
14519 properties:
14520 name:
14521 type: string
14522 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14523 key:
14524 type: string
14525 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14526 required:
14527 - name
14528 email:
14529 type: string
14530 description: Email of the account, only required when using API key based authentication.
14531 cnameStrategy:
14532 type: string
14533 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
14534 enum:
14535 - None
14536 - Follow
14537 digitalocean:
14538 type: object
14539 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
14540 properties:
14541 tokenSecretRef:
14542 type: object
14543 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
14544 properties:
14545 name:
14546 type: string
14547 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14548 key:
14549 type: string
14550 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14551 required:
14552 - name
14553 required:
14554 - tokenSecretRef
14555 rfc2136:
14556 type: object
14557 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
14558 properties:
14559 nameserver:
14560 type: string
14561 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
14562 tsigAlgorithm:
14563 type: string
14564 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
14565 tsigKeyName:
14566 type: string
14567 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
14568 tsigSecretSecretRef:
14569 type: object
14570 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
14571 properties:
14572 name:
14573 type: string
14574 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14575 key:
14576 type: string
14577 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14578 required:
14579 - name
14580 required:
14581 - nameserver
14582 route53:
14583 type: object
14584 description: Use the AWS Route53 API to manage DNS01 challenge records.
14585 properties:
14586 accessKeyID:
14587 type: string
14588 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
14589 hostedZoneID:
14590 type: string
14591 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
14592 region:
14593 type: string
14594 description: Always set the region when using AccessKeyID and SecretAccessKey
14595 role:
14596 type: string
14597 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
14598 secretAccessKeySecretRef:
14599 type: object
14600 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
14601 properties:
14602 name:
14603 type: string
14604 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14605 key:
14606 type: string
14607 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14608 required:
14609 - name
14610 required:
14611 - region
14612 webhook:
14613 type: object
14614 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
14615 properties:
14616 config:
14617 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
14618 x-kubernetes-preserve-unknown-fields: true
14619 groupName:
14620 type: string
14621 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
14622 solverName:
14623 type: string
14624 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
14625 required:
14626 - groupName
14627 - solverName
14628 http01:
14629 type: object
14630 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
14631 properties:
14632 gatewayHTTPRoute:
14633 type: object
14634 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
14635 properties:
14636 labels:
14637 type: object
14638 additionalProperties:
14639 type: string
14640 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
14641 serviceType:
14642 type: string
14643 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
14644 ingress:
14645 type: object
14646 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
14647 properties:
14648 name:
14649 type: string
14650 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
14651 class:
14652 type: string
14653 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
14654 ingressTemplate:
14655 type: object
14656 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
14657 properties:
14658 metadata:
14659 type: object
14660 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
14661 properties:
14662 labels:
14663 type: object
14664 additionalProperties:
14665 type: string
14666 description: Labels that should be added to the created ACME HTTP01 solver ingress.
14667 annotations:
14668 type: object
14669 additionalProperties:
14670 type: string
14671 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
14672 podTemplate:
14673 type: object
14674 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges
14675 properties:
14676 metadata:
14677 type: object
14678 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
14679 properties:
14680 labels:
14681 type: object
14682 additionalProperties:
14683 type: string
14684 description: Labels that should be added to the created ACME HTTP01 solver pods.
14685 annotations:
14686 type: object
14687 additionalProperties:
14688 type: string
14689 description: Annotations that should be added to the create ACME HTTP01 solver pods.
14690 spec:
14691 type: object
14692 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
14693 properties:
14694 serviceAccountName:
14695 type: string
14696 description: If specified, the pod's service account
14697 priorityClassName:
14698 type: string
14699 description: If specified, the pod's priorityClassName.
14700 nodeSelector:
14701 type: object
14702 additionalProperties:
14703 type: string
14704 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
14705 affinity:
14706 type: object
14707 description: If specified, the pod's scheduling constraints
14708 properties:
14709 nodeAffinity:
14710 type: object
14711 description: Describes node affinity scheduling rules for the pod.
14712 properties:
14713 preferredDuringSchedulingIgnoredDuringExecution:
14714 type: array
14715 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
14716 items:
14717 type: object
14718 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
14719 properties:
14720 preference:
14721 type: object
14722 description: A node selector term, associated with the corresponding weight.
14723 properties:
14724 matchExpressions:
14725 type: array
14726 description: A list of node selector requirements by node's labels.
14727 items:
14728 type: object
14729 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
14730 properties:
14731 key:
14732 type: string
14733 description: The label key that the selector applies to.
14734 operator:
14735 type: string
14736 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
14737 values:
14738 type: array
14739 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
14740 items:
14741 type: string
14742 required:
14743 - key
14744 - operator
14745 matchFields:
14746 type: array
14747 description: A list of node selector requirements by node's fields.
14748 items:
14749 type: object
14750 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
14751 properties:
14752 key:
14753 type: string
14754 description: The label key that the selector applies to.
14755 operator:
14756 type: string
14757 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
14758 values:
14759 type: array
14760 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
14761 items:
14762 type: string
14763 required:
14764 - key
14765 - operator
14766 weight:
14767 type: integer
14768 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
14769 format: int32
14770 required:
14771 - preference
14772 - weight
14773 requiredDuringSchedulingIgnoredDuringExecution:
14774 type: object
14775 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
14776 properties:
14777 nodeSelectorTerms:
14778 type: array
14779 description: Required. A list of node selector terms. The terms are ORed.
14780 items:
14781 type: object
14782 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
14783 properties:
14784 matchExpressions:
14785 type: array
14786 description: A list of node selector requirements by node's labels.
14787 items:
14788 type: object
14789 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
14790 properties:
14791 key:
14792 type: string
14793 description: The label key that the selector applies to.
14794 operator:
14795 type: string
14796 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
14797 values:
14798 type: array
14799 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
14800 items:
14801 type: string
14802 required:
14803 - key
14804 - operator
14805 matchFields:
14806 type: array
14807 description: A list of node selector requirements by node's fields.
14808 items:
14809 type: object
14810 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
14811 properties:
14812 key:
14813 type: string
14814 description: The label key that the selector applies to.
14815 operator:
14816 type: string
14817 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
14818 values:
14819 type: array
14820 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
14821 items:
14822 type: string
14823 required:
14824 - key
14825 - operator
14826 required:
14827 - nodeSelectorTerms
14828 podAffinity:
14829 type: object
14830 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
14831 properties:
14832 preferredDuringSchedulingIgnoredDuringExecution:
14833 type: array
14834 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
14835 items:
14836 type: object
14837 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
14838 properties:
14839 podAffinityTerm:
14840 type: object
14841 description: Required. A pod affinity term, associated with the corresponding weight.
14842 properties:
14843 labelSelector:
14844 type: object
14845 description: A label query over a set of resources, in this case pods.
14846 properties:
14847 matchExpressions:
14848 type: array
14849 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
14850 items:
14851 type: object
14852 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
14853 properties:
14854 key:
14855 type: string
14856 description: key is the label key that the selector applies to.
14857 operator:
14858 type: string
14859 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
14860 values:
14861 type: array
14862 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
14863 items:
14864 type: string
14865 required:
14866 - key
14867 - operator
14868 matchLabels:
14869 type: object
14870 additionalProperties:
14871 type: string
14872 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
14873 namespaceSelector:
14874 type: object
14875 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
14876 properties:
14877 matchExpressions:
14878 type: array
14879 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
14880 items:
14881 type: object
14882 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
14883 properties:
14884 key:
14885 type: string
14886 description: key is the label key that the selector applies to.
14887 operator:
14888 type: string
14889 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
14890 values:
14891 type: array
14892 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
14893 items:
14894 type: string
14895 required:
14896 - key
14897 - operator
14898 matchLabels:
14899 type: object
14900 additionalProperties:
14901 type: string
14902 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
14903 namespaces:
14904 type: array
14905 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
14906 items:
14907 type: string
14908 topologyKey:
14909 type: string
14910 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
14911 required:
14912 - topologyKey
14913 weight:
14914 type: integer
14915 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
14916 format: int32
14917 required:
14918 - podAffinityTerm
14919 - weight
14920 requiredDuringSchedulingIgnoredDuringExecution:
14921 type: array
14922 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
14923 items:
14924 type: object
14925 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
14926 properties:
14927 labelSelector:
14928 type: object
14929 description: A label query over a set of resources, in this case pods.
14930 properties:
14931 matchExpressions:
14932 type: array
14933 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
14934 items:
14935 type: object
14936 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
14937 properties:
14938 key:
14939 type: string
14940 description: key is the label key that the selector applies to.
14941 operator:
14942 type: string
14943 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
14944 values:
14945 type: array
14946 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
14947 items:
14948 type: string
14949 required:
14950 - key
14951 - operator
14952 matchLabels:
14953 type: object
14954 additionalProperties:
14955 type: string
14956 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
14957 namespaceSelector:
14958 type: object
14959 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
14960 properties:
14961 matchExpressions:
14962 type: array
14963 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
14964 items:
14965 type: object
14966 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
14967 properties:
14968 key:
14969 type: string
14970 description: key is the label key that the selector applies to.
14971 operator:
14972 type: string
14973 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
14974 values:
14975 type: array
14976 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
14977 items:
14978 type: string
14979 required:
14980 - key
14981 - operator
14982 matchLabels:
14983 type: object
14984 additionalProperties:
14985 type: string
14986 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
14987 namespaces:
14988 type: array
14989 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
14990 items:
14991 type: string
14992 topologyKey:
14993 type: string
14994 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
14995 required:
14996 - topologyKey
14997 podAntiAffinity:
14998 type: object
14999 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
15000 properties:
15001 preferredDuringSchedulingIgnoredDuringExecution:
15002 type: array
15003 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
15004 items:
15005 type: object
15006 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
15007 properties:
15008 podAffinityTerm:
15009 type: object
15010 description: Required. A pod affinity term, associated with the corresponding weight.
15011 properties:
15012 labelSelector:
15013 type: object
15014 description: A label query over a set of resources, in this case pods.
15015 properties:
15016 matchExpressions:
15017 type: array
15018 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
15019 items:
15020 type: object
15021 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
15022 properties:
15023 key:
15024 type: string
15025 description: key is the label key that the selector applies to.
15026 operator:
15027 type: string
15028 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
15029 values:
15030 type: array
15031 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
15032 items:
15033 type: string
15034 required:
15035 - key
15036 - operator
15037 matchLabels:
15038 type: object
15039 additionalProperties:
15040 type: string
15041 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
15042 namespaceSelector:
15043 type: object
15044 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
15045 properties:
15046 matchExpressions:
15047 type: array
15048 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
15049 items:
15050 type: object
15051 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
15052 properties:
15053 key:
15054 type: string
15055 description: key is the label key that the selector applies to.
15056 operator:
15057 type: string
15058 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
15059 values:
15060 type: array
15061 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
15062 items:
15063 type: string
15064 required:
15065 - key
15066 - operator
15067 matchLabels:
15068 type: object
15069 additionalProperties:
15070 type: string
15071 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
15072 namespaces:
15073 type: array
15074 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
15075 items:
15076 type: string
15077 topologyKey:
15078 type: string
15079 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
15080 required:
15081 - topologyKey
15082 weight:
15083 type: integer
15084 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
15085 format: int32
15086 required:
15087 - podAffinityTerm
15088 - weight
15089 requiredDuringSchedulingIgnoredDuringExecution:
15090 type: array
15091 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
15092 items:
15093 type: object
15094 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
15095 properties:
15096 labelSelector:
15097 type: object
15098 description: A label query over a set of resources, in this case pods.
15099 properties:
15100 matchExpressions:
15101 type: array
15102 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
15103 items:
15104 type: object
15105 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
15106 properties:
15107 key:
15108 type: string
15109 description: key is the label key that the selector applies to.
15110 operator:
15111 type: string
15112 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
15113 values:
15114 type: array
15115 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
15116 items:
15117 type: string
15118 required:
15119 - key
15120 - operator
15121 matchLabels:
15122 type: object
15123 additionalProperties:
15124 type: string
15125 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
15126 namespaceSelector:
15127 type: object
15128 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
15129 properties:
15130 matchExpressions:
15131 type: array
15132 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
15133 items:
15134 type: object
15135 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
15136 properties:
15137 key:
15138 type: string
15139 description: key is the label key that the selector applies to.
15140 operator:
15141 type: string
15142 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
15143 values:
15144 type: array
15145 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
15146 items:
15147 type: string
15148 required:
15149 - key
15150 - operator
15151 matchLabels:
15152 type: object
15153 additionalProperties:
15154 type: string
15155 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
15156 namespaces:
15157 type: array
15158 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
15159 items:
15160 type: string
15161 topologyKey:
15162 type: string
15163 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
15164 required:
15165 - topologyKey
15166 tolerations:
15167 type: array
15168 description: If specified, the pod's tolerations.
15169 items:
15170 type: object
15171 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
15172 properties:
15173 value:
15174 type: string
15175 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
15176 effect:
15177 type: string
15178 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
15179 key:
15180 type: string
15181 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
15182 operator:
15183 type: string
15184 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
15185 tolerationSeconds:
15186 type: integer
15187 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
15188 format: int64
15189 serviceType:
15190 type: string
15191 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
15192 required:
15193 - privateKeySecretRef
15194 - server
15195 ca:
15196 type: object
15197 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
15198 properties:
15199 crlDistributionPoints:
15200 type: array
15201 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
15202 items:
15203 type: string
15204 ocspServers:
15205 type: array
15206 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
15207 items:
15208 type: string
15209 secretName:
15210 type: string
15211 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
15212 required:
15213 - secretName
15214 selfSigned:
15215 type: object
15216 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
15217 properties:
15218 crlDistributionPoints:
15219 type: array
15220 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
15221 items:
15222 type: string
15223 vault:
15224 type: object
15225 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
15226 properties:
15227 namespace:
15228 type: string
15229 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
15230 auth:
15231 type: object
15232 description: Auth configures how cert-manager authenticates with the Vault server.
15233 properties:
15234 appRole:
15235 type: object
15236 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
15237 properties:
15238 secretRef:
15239 type: object
15240 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
15241 properties:
15242 name:
15243 type: string
15244 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
15245 key:
15246 type: string
15247 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
15248 required:
15249 - name
15250 path:
15251 type: string
15252 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
15253 roleId:
15254 type: string
15255 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
15256 required:
15257 - path
15258 - roleId
15259 - secretRef
15260 kubernetes:
15261 type: object
15262 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
15263 properties:
15264 mountPath:
15265 type: string
15266 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
15267 secretRef:
15268 type: object
15269 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
15270 properties:
15271 name:
15272 type: string
15273 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
15274 key:
15275 type: string
15276 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
15277 required:
15278 - name
15279 role:
15280 type: string
15281 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
15282 required:
15283 - role
15284 - secretRef
15285 tokenSecretRef:
15286 type: object
15287 description: TokenSecretRef authenticates with Vault by presenting a token.
15288 properties:
15289 name:
15290 type: string
15291 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
15292 key:
15293 type: string
15294 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
15295 required:
15296 - name
15297 caBundle:
15298 type: string
15299 description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
15300 format: byte
15301 path:
15302 type: string
15303 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
15304 server:
15305 type: string
15306 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
15307 required:
15308 - auth
15309 - path
15310 - server
15311 venafi:
15312 type: object
15313 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
15314 properties:
15315 cloud:
15316 type: object
15317 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
15318 properties:
15319 apiTokenSecretRef:
15320 type: object
15321 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
15322 properties:
15323 name:
15324 type: string
15325 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
15326 key:
15327 type: string
15328 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
15329 required:
15330 - name
15331 url:
15332 type: string
15333 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
15334 required:
15335 - apiTokenSecretRef
15336 tpp:
15337 type: object
15338 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
15339 properties:
15340 caBundle:
15341 type: string
15342 description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
15343 format: byte
15344 credentialsRef:
15345 type: object
15346 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
15347 properties:
15348 name:
15349 type: string
15350 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
15351 required:
15352 - name
15353 url:
15354 type: string
15355 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
15356 required:
15357 - credentialsRef
15358 - url
15359 zone:
15360 type: string
15361 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
15362 required:
15363 - zone
15364 status:
15365 type: object
15366 description: Status of the Issuer. This is set and managed automatically.
15367 properties:
15368 acme:
15369 type: object
15370 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
15371 properties:
15372 lastRegisteredEmail:
15373 type: string
15374 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
15375 uri:
15376 type: string
15377 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
15378 conditions:
15379 type: array
15380 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
15381 items:
15382 type: object
15383 description: IssuerCondition contains condition information for an Issuer.
15384 properties:
15385 type:
15386 type: string
15387 description: Type of the condition, known values are (`Ready`).
15388 status:
15389 type: string
15390 description: Status of the condition, one of (`True`, `False`, `Unknown`).
15391 enum:
15392 - "True"
15393 - "False"
15394 - Unknown
15395 lastTransitionTime:
15396 type: string
15397 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
15398 format: date-time
15399 message:
15400 type: string
15401 description: Message is a human readable description of the details of the last transition, complementing reason.
15402 observedGeneration:
15403 type: integer
15404 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
15405 format: int64
15406 reason:
15407 type: string
15408 description: Reason is a brief machine readable explanation for the condition's last transition.
15409 required:
15410 - status
15411 - type
15412 required:
15413 - spec
15414 served: true
15415 storage: false
15416 subresources:
15417 status: {}
15418---
15419# Source: cert-manager/templates/templates.out
15420apiVersion: apiextensions.k8s.io/v1
15421kind: CustomResourceDefinition
15422metadata:
15423 name: orders.acme.cert-manager.io
15424 labels:
15425 app: 'cert-manager'
15426 app.kubernetes.io/instance: 'cert-manager'
15427 app.kubernetes.io/name: 'cert-manager'
15428 # Generated labels
15429 app.kubernetes.io/version: "v1.5.4"
15430 annotations:
15431 cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
15432 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
15433 pallet.edge.ncr.com/name: cert-manager
15434 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
15435 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
15436 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
15437 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
15438spec:
15439 conversion:
15440 # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
15441 strategy: Webhook
15442 # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
15443 webhook:
15444 clientConfig:
15445 #
15446 service:
15447 name: 'cert-manager-webhook'
15448 namespace: "cert-manager"
15449 path: /convert
15450 #
15451 # We don't actually support `v1beta1` but is listed here as it is a
15452 # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The
15453 # API server reads the supported versions in order, so _should always_
15454 # attempt a `v1` request which is understood by the cert-manager webhook.
15455 # Any `v1beta1` request will return an error and fail closed for that
15456 # resource (the whole object request is rejected).
15457 # When we no longer support v1.16 we can remove `v1beta1` from this list.
15458 conversionReviewVersions: ["v1", "v1beta1"]
15459 group: acme.cert-manager.io
15460 names:
15461 kind: Order
15462 categories:
15463 - cert-manager
15464 - cert-manager-acme
15465 listKind: OrderList
15466 plural: orders
15467 singular: order
15468 scope: Namespaced
15469 versions:
15470 - name: v1
15471 additionalPrinterColumns:
15472 - name: State
15473 type: string
15474 jsonPath: .status.state
15475 - name: Issuer
15476 type: string
15477 priority: 1
15478 jsonPath: .spec.issuerRef.name
15479 - name: Reason
15480 type: string
15481 priority: 1
15482 jsonPath: .status.reason
15483 - name: Age
15484 type: date
15485 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
15486 jsonPath: .metadata.creationTimestamp
15487 schema:
15488 openAPIV3Schema:
15489 type: object
15490 description: Order is a type to represent an Order with an ACME server
15491 properties:
15492 apiVersion:
15493 type: string
15494 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
15495 kind:
15496 type: string
15497 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
15498 metadata:
15499 type: object
15500 spec:
15501 type: object
15502 properties:
15503 commonName:
15504 type: string
15505 description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
15506 dnsNames:
15507 type: array
15508 description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
15509 items:
15510 type: string
15511 duration:
15512 type: string
15513 description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
15514 ipAddresses:
15515 type: array
15516 description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
15517 items:
15518 type: string
15519 issuerRef:
15520 type: object
15521 description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
15522 properties:
15523 name:
15524 type: string
15525 description: Name of the resource being referred to.
15526 kind:
15527 type: string
15528 description: Kind of the resource being referred to.
15529 group:
15530 type: string
15531 description: Group of the resource being referred to.
15532 required:
15533 - name
15534 request:
15535 type: string
15536 description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
15537 format: byte
15538 required:
15539 - issuerRef
15540 - request
15541 status:
15542 type: object
15543 properties:
15544 authorizations:
15545 type: array
15546 description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.
15547 items:
15548 type: object
15549 description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
15550 properties:
15551 challenges:
15552 type: array
15553 description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
15554 items:
15555 type: object
15556 description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
15557 properties:
15558 type:
15559 type: string
15560 description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.
15561 token:
15562 type: string
15563 description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
15564 url:
15565 type: string
15566 description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
15567 required:
15568 - token
15569 - type
15570 - url
15571 identifier:
15572 type: string
15573 description: Identifier is the DNS name to be validated as part of this authorization
15574 initialState:
15575 type: string
15576 description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.
15577 enum:
15578 - valid
15579 - ready
15580 - pending
15581 - processing
15582 - invalid
15583 - expired
15584 - errored
15585 url:
15586 type: string
15587 description: URL is the URL of the Authorization that must be completed
15588 wildcard:
15589 type: boolean
15590 description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
15591 required:
15592 - url
15593 certificate:
15594 type: string
15595 description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
15596 format: byte
15597 failureTime:
15598 type: string
15599 description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
15600 format: date-time
15601 finalizeURL:
15602 type: string
15603 description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
15604 reason:
15605 type: string
15606 description: Reason optionally provides more information about a why the order is in the current state.
15607 state:
15608 type: string
15609 description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
15610 enum:
15611 - valid
15612 - ready
15613 - pending
15614 - processing
15615 - invalid
15616 - expired
15617 - errored
15618 url:
15619 type: string
15620 description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
15621 required:
15622 - metadata
15623 - spec
15624 served: true
15625 storage: true
15626 subresources:
15627 status: {}
15628 - name: v1alpha2
15629 additionalPrinterColumns:
15630 - name: State
15631 type: string
15632 jsonPath: .status.state
15633 - name: Issuer
15634 type: string
15635 priority: 1
15636 jsonPath: .spec.issuerRef.name
15637 - name: Reason
15638 type: string
15639 priority: 1
15640 jsonPath: .status.reason
15641 - name: Age
15642 type: date
15643 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
15644 jsonPath: .metadata.creationTimestamp
15645 schema:
15646 openAPIV3Schema:
15647 type: object
15648 description: Order is a type to represent an Order with an ACME server
15649 properties:
15650 apiVersion:
15651 type: string
15652 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
15653 kind:
15654 type: string
15655 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
15656 metadata:
15657 type: object
15658 spec:
15659 type: object
15660 properties:
15661 commonName:
15662 type: string
15663 description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
15664 csr:
15665 type: string
15666 description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
15667 format: byte
15668 dnsNames:
15669 type: array
15670 description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
15671 items:
15672 type: string
15673 duration:
15674 type: string
15675 description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
15676 ipAddresses:
15677 type: array
15678 description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
15679 items:
15680 type: string
15681 issuerRef:
15682 type: object
15683 description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
15684 properties:
15685 name:
15686 type: string
15687 description: Name of the resource being referred to.
15688 kind:
15689 type: string
15690 description: Kind of the resource being referred to.
15691 group:
15692 type: string
15693 description: Group of the resource being referred to.
15694 required:
15695 - name
15696 required:
15697 - csr
15698 - issuerRef
15699 status:
15700 type: object
15701 properties:
15702 authorizations:
15703 type: array
15704 description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.
15705 items:
15706 type: object
15707 description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
15708 properties:
15709 challenges:
15710 type: array
15711 description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
15712 items:
15713 type: object
15714 description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
15715 properties:
15716 type:
15717 type: string
15718 description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.
15719 token:
15720 type: string
15721 description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
15722 url:
15723 type: string
15724 description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
15725 required:
15726 - token
15727 - type
15728 - url
15729 identifier:
15730 type: string
15731 description: Identifier is the DNS name to be validated as part of this authorization
15732 initialState:
15733 type: string
15734 description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.
15735 enum:
15736 - valid
15737 - ready
15738 - pending
15739 - processing
15740 - invalid
15741 - expired
15742 - errored
15743 url:
15744 type: string
15745 description: URL is the URL of the Authorization that must be completed
15746 wildcard:
15747 type: boolean
15748 description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
15749 required:
15750 - url
15751 certificate:
15752 type: string
15753 description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
15754 format: byte
15755 failureTime:
15756 type: string
15757 description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
15758 format: date-time
15759 finalizeURL:
15760 type: string
15761 description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
15762 reason:
15763 type: string
15764 description: Reason optionally provides more information about a why the order is in the current state.
15765 state:
15766 type: string
15767 description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
15768 enum:
15769 - valid
15770 - ready
15771 - pending
15772 - processing
15773 - invalid
15774 - expired
15775 - errored
15776 url:
15777 type: string
15778 description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
15779 required:
15780 - metadata
15781 served: true
15782 storage: false
15783 subresources:
15784 status: {}
15785 - name: v1alpha3
15786 additionalPrinterColumns:
15787 - name: State
15788 type: string
15789 jsonPath: .status.state
15790 - name: Issuer
15791 type: string
15792 priority: 1
15793 jsonPath: .spec.issuerRef.name
15794 - name: Reason
15795 type: string
15796 priority: 1
15797 jsonPath: .status.reason
15798 - name: Age
15799 type: date
15800 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
15801 jsonPath: .metadata.creationTimestamp
15802 schema:
15803 openAPIV3Schema:
15804 type: object
15805 description: Order is a type to represent an Order with an ACME server
15806 properties:
15807 apiVersion:
15808 type: string
15809 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
15810 kind:
15811 type: string
15812 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
15813 metadata:
15814 type: object
15815 spec:
15816 type: object
15817 properties:
15818 commonName:
15819 type: string
15820 description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
15821 csr:
15822 type: string
15823 description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
15824 format: byte
15825 dnsNames:
15826 type: array
15827 description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
15828 items:
15829 type: string
15830 duration:
15831 type: string
15832 description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
15833 ipAddresses:
15834 type: array
15835 description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
15836 items:
15837 type: string
15838 issuerRef:
15839 type: object
15840 description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
15841 properties:
15842 name:
15843 type: string
15844 description: Name of the resource being referred to.
15845 kind:
15846 type: string
15847 description: Kind of the resource being referred to.
15848 group:
15849 type: string
15850 description: Group of the resource being referred to.
15851 required:
15852 - name
15853 required:
15854 - csr
15855 - issuerRef
15856 status:
15857 type: object
15858 properties:
15859 authorizations:
15860 type: array
15861 description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.
15862 items:
15863 type: object
15864 description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
15865 properties:
15866 challenges:
15867 type: array
15868 description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
15869 items:
15870 type: object
15871 description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
15872 properties:
15873 type:
15874 type: string
15875 description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.
15876 token:
15877 type: string
15878 description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
15879 url:
15880 type: string
15881 description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
15882 required:
15883 - token
15884 - type
15885 - url
15886 identifier:
15887 type: string
15888 description: Identifier is the DNS name to be validated as part of this authorization
15889 initialState:
15890 type: string
15891 description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.
15892 enum:
15893 - valid
15894 - ready
15895 - pending
15896 - processing
15897 - invalid
15898 - expired
15899 - errored
15900 url:
15901 type: string
15902 description: URL is the URL of the Authorization that must be completed
15903 wildcard:
15904 type: boolean
15905 description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
15906 required:
15907 - url
15908 certificate:
15909 type: string
15910 description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
15911 format: byte
15912 failureTime:
15913 type: string
15914 description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
15915 format: date-time
15916 finalizeURL:
15917 type: string
15918 description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
15919 reason:
15920 type: string
15921 description: Reason optionally provides more information about a why the order is in the current state.
15922 state:
15923 type: string
15924 description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
15925 enum:
15926 - valid
15927 - ready
15928 - pending
15929 - processing
15930 - invalid
15931 - expired
15932 - errored
15933 url:
15934 type: string
15935 description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
15936 required:
15937 - metadata
15938 served: true
15939 storage: false
15940 subresources:
15941 status: {}
15942 - name: v1beta1
15943 additionalPrinterColumns:
15944 - name: State
15945 type: string
15946 jsonPath: .status.state
15947 - name: Issuer
15948 type: string
15949 priority: 1
15950 jsonPath: .spec.issuerRef.name
15951 - name: Reason
15952 type: string
15953 priority: 1
15954 jsonPath: .status.reason
15955 - name: Age
15956 type: date
15957 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
15958 jsonPath: .metadata.creationTimestamp
15959 schema:
15960 openAPIV3Schema:
15961 type: object
15962 description: Order is a type to represent an Order with an ACME server
15963 properties:
15964 apiVersion:
15965 type: string
15966 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
15967 kind:
15968 type: string
15969 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
15970 metadata:
15971 type: object
15972 spec:
15973 type: object
15974 properties:
15975 commonName:
15976 type: string
15977 description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
15978 dnsNames:
15979 type: array
15980 description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
15981 items:
15982 type: string
15983 duration:
15984 type: string
15985 description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
15986 ipAddresses:
15987 type: array
15988 description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
15989 items:
15990 type: string
15991 issuerRef:
15992 type: object
15993 description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
15994 properties:
15995 name:
15996 type: string
15997 description: Name of the resource being referred to.
15998 kind:
15999 type: string
16000 description: Kind of the resource being referred to.
16001 group:
16002 type: string
16003 description: Group of the resource being referred to.
16004 required:
16005 - name
16006 request:
16007 type: string
16008 description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
16009 format: byte
16010 required:
16011 - issuerRef
16012 - request
16013 status:
16014 type: object
16015 properties:
16016 authorizations:
16017 type: array
16018 description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.
16019 items:
16020 type: object
16021 description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
16022 properties:
16023 challenges:
16024 type: array
16025 description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
16026 items:
16027 type: object
16028 description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
16029 properties:
16030 type:
16031 type: string
16032 description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.
16033 token:
16034 type: string
16035 description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
16036 url:
16037 type: string
16038 description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
16039 required:
16040 - token
16041 - type
16042 - url
16043 identifier:
16044 type: string
16045 description: Identifier is the DNS name to be validated as part of this authorization
16046 initialState:
16047 type: string
16048 description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.
16049 enum:
16050 - valid
16051 - ready
16052 - pending
16053 - processing
16054 - invalid
16055 - expired
16056 - errored
16057 url:
16058 type: string
16059 description: URL is the URL of the Authorization that must be completed
16060 wildcard:
16061 type: boolean
16062 description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
16063 required:
16064 - url
16065 certificate:
16066 type: string
16067 description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
16068 format: byte
16069 failureTime:
16070 type: string
16071 description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
16072 format: date-time
16073 finalizeURL:
16074 type: string
16075 description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
16076 reason:
16077 type: string
16078 description: Reason optionally provides more information about a why the order is in the current state.
16079 state:
16080 type: string
16081 description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
16082 enum:
16083 - valid
16084 - ready
16085 - pending
16086 - processing
16087 - invalid
16088 - expired
16089 - errored
16090 url:
16091 type: string
16092 description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
16093 required:
16094 - metadata
16095 - spec
16096 served: true
16097 storage: false
16098 subresources:
16099 status: {}
16100---
16101# Source: cert-manager/templates/serviceaccount.yaml
16102apiVersion: v1
16103kind: ServiceAccount
16104metadata:
16105 name: cert-manager
16106 namespace: "cert-manager"
16107 labels:
16108 app: cert-manager
16109 app.kubernetes.io/component: "controller"
16110 app.kubernetes.io/instance: cert-manager
16111 app.kubernetes.io/name: cert-manager
16112 app.kubernetes.io/version: "v1.5.4"
16113 annotations:
16114 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
16115 pallet.edge.ncr.com/name: cert-manager
16116 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
16117 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
16118 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
16119 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
16120automountServiceAccountToken: true
16121---
16122# Source: cert-manager/templates/cainjector-serviceaccount.yaml
16123apiVersion: v1
16124kind: ServiceAccount
16125metadata:
16126 name: cert-manager-cainjector
16127 namespace: "cert-manager"
16128 labels:
16129 app: cainjector
16130 app.kubernetes.io/component: "cainjector"
16131 app.kubernetes.io/instance: cert-manager
16132 app.kubernetes.io/name: cainjector
16133 app.kubernetes.io/version: "v1.5.4"
16134 annotations:
16135 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
16136 pallet.edge.ncr.com/name: cert-manager
16137 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
16138 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
16139 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
16140 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
16141automountServiceAccountToken: true
16142---
16143# Source: cert-manager/templates/webhook-serviceaccount.yaml
16144apiVersion: v1
16145kind: ServiceAccount
16146metadata:
16147 name: cert-manager-webhook
16148 namespace: "cert-manager"
16149 labels:
16150 app: webhook
16151 app.kubernetes.io/component: "webhook"
16152 app.kubernetes.io/instance: cert-manager
16153 app.kubernetes.io/name: webhook
16154 app.kubernetes.io/version: "v1.5.4"
16155 annotations:
16156 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
16157 pallet.edge.ncr.com/name: cert-manager
16158 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
16159 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
16160 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
16161 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
16162automountServiceAccountToken: true
16163---
16164# Source: cert-manager/templates/cainjector-rbac.yaml
16165# leader election rules
16166apiVersion: rbac.authorization.k8s.io/v1
16167kind: Role
16168metadata:
16169 name: cert-manager-cainjector:leaderelection
16170 namespace: cert-manager
16171 labels:
16172 app: cainjector
16173 app.kubernetes.io/component: "cainjector"
16174 app.kubernetes.io/instance: cert-manager
16175 app.kubernetes.io/name: cainjector
16176 app.kubernetes.io/version: "v1.5.4"
16177 annotations:
16178 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
16179 pallet.edge.ncr.com/name: cert-manager
16180 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
16181 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
16182 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
16183 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
16184rules:
16185# Used for leader election by the controller
16186# cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
16187# see cmd/cainjector/start.go#L113
16188# cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
16189# see cmd/cainjector/start.go#L137
16190# See also: https://github.com/kubernetes-sigs/controller-runtime/pull/1144#discussion_r480173688
16191- resources: ["configmaps"]
16192 apiGroups: [""]
16193 resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
16194 verbs: ["get", "update", "patch"]
16195- resources: ["configmaps"]
16196 apiGroups: [""]
16197 verbs: ["create"]
16198- resources: ["leases"]
16199 apiGroups: ["coordination.k8s.io"]
16200 resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
16201 verbs: ["get", "update", "patch"]
16202- resources: ["leases"]
16203 apiGroups: ["coordination.k8s.io"]
16204 verbs: ["create"]
16205---
16206# Source: cert-manager/templates/webhook-rbac.yaml
16207apiVersion: rbac.authorization.k8s.io/v1
16208kind: Role
16209metadata:
16210 name: cert-manager-webhook:dynamic-serving
16211 namespace: "cert-manager"
16212 labels:
16213 app: webhook
16214 app.kubernetes.io/component: "webhook"
16215 app.kubernetes.io/instance: cert-manager
16216 app.kubernetes.io/name: webhook
16217 app.kubernetes.io/version: "v1.5.4"
16218 annotations:
16219 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
16220 pallet.edge.ncr.com/name: cert-manager
16221 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
16222 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
16223 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
16224 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
16225rules:
16226- resources: ["secrets"]
16227 apiGroups: [""]
16228 resourceNames:
16229 - 'cert-manager-webhook-ca'
16230 verbs: ["get", "list", "watch", "update"]
16231# It's not possible to grant CREATE permission on a single resourceName.
16232- resources: ["secrets"]
16233 apiGroups: [""]
16234 verbs: ["create"]
16235---
16236# Source: cert-manager/templates/rbac.yaml
16237apiVersion: rbac.authorization.k8s.io/v1
16238kind: Role
16239metadata:
16240 name: cert-manager:leaderelection
16241 namespace: cert-manager
16242 labels:
16243 app: cert-manager
16244 app.kubernetes.io/component: "controller"
16245 app.kubernetes.io/instance: cert-manager
16246 app.kubernetes.io/name: cert-manager
16247 app.kubernetes.io/version: "v1.5.4"
16248 annotations:
16249 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
16250 pallet.edge.ncr.com/name: cert-manager
16251 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
16252 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
16253 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
16254 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
16255rules:
16256# Used for leader election by the controller
16257# See also: https://github.com/kubernetes-sigs/controller-runtime/pull/1144#discussion_r480173688
16258- resources: ["configmaps"]
16259 apiGroups: [""]
16260 resourceNames: ["cert-manager-controller"]
16261 verbs: ["get", "update", "patch"]
16262- resources: ["configmaps"]
16263 apiGroups: [""]
16264 verbs: ["create"]
16265- resources: ["leases"]
16266 apiGroups: ["coordination.k8s.io"]
16267 resourceNames: ["cert-manager-controller"]
16268 verbs: ["get", "update", "patch"]
16269- resources: ["leases"]
16270 apiGroups: ["coordination.k8s.io"]
16271 verbs: ["create"]
16272---
16273# Source: cert-manager/templates/cainjector-rbac.yaml
16274apiVersion: rbac.authorization.k8s.io/v1
16275kind: ClusterRole
16276metadata:
16277 name: cert-manager-cainjector
16278 labels:
16279 app: cainjector
16280 app.kubernetes.io/component: "cainjector"
16281 app.kubernetes.io/instance: cert-manager
16282 app.kubernetes.io/name: cainjector
16283 app.kubernetes.io/version: "v1.5.4"
16284 annotations:
16285 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
16286 pallet.edge.ncr.com/name: cert-manager
16287 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
16288 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
16289 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
16290 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
16291rules:
16292- resources: ["certificates"]
16293 apiGroups: ["cert-manager.io"]
16294 verbs: ["get", "list", "watch"]
16295- resources: ["secrets"]
16296 apiGroups: [""]
16297 verbs: ["get", "list", "watch"]
16298- resources: ["events"]
16299 apiGroups: [""]
16300 verbs: ["get", "create", "update", "patch"]
16301- resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
16302 apiGroups: ["admissionregistration.k8s.io"]
16303 verbs: ["get", "list", "watch", "update"]
16304- resources: ["apiservices"]
16305 apiGroups: ["apiregistration.k8s.io"]
16306 verbs: ["get", "list", "watch", "update"]
16307- resources: ["customresourcedefinitions"]
16308 apiGroups: ["apiextensions.k8s.io"]
16309 verbs: ["get", "list", "watch", "update"]
16310- resources: ["auditsinks"]
16311 apiGroups: ["auditregistration.k8s.io"]
16312 verbs: ["get", "list", "watch", "update"]
16313---
16314# Source: cert-manager/templates/rbac.yaml
16315# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
16316apiVersion: rbac.authorization.k8s.io/v1
16317kind: ClusterRole
16318metadata:
16319 name: cert-manager-controller-approve:cert-manager-io
16320 labels:
16321 app: cert-manager
16322 app.kubernetes.io/component: "cert-manager"
16323 app.kubernetes.io/instance: cert-manager
16324 app.kubernetes.io/name: cert-manager
16325 app.kubernetes.io/version: "v1.5.4"
16326 annotations:
16327 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
16328 pallet.edge.ncr.com/name: cert-manager
16329 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
16330 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
16331 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
16332 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
16333rules:
16334- resources: ["signers"]
16335 apiGroups: ["cert-manager.io"]
16336 resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
16337 verbs: ["approve"]
16338---
16339# Source: cert-manager/templates/rbac.yaml
16340# Certificates controller role
16341apiVersion: rbac.authorization.k8s.io/v1
16342kind: ClusterRole
16343metadata:
16344 name: cert-manager-controller-certificates
16345 labels:
16346 app: cert-manager
16347 app.kubernetes.io/component: "controller"
16348 app.kubernetes.io/instance: cert-manager
16349 app.kubernetes.io/name: cert-manager
16350 app.kubernetes.io/version: "v1.5.4"
16351 annotations:
16352 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
16353 pallet.edge.ncr.com/name: cert-manager
16354 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
16355 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
16356 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
16357 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
16358rules:
16359- resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
16360 apiGroups: ["cert-manager.io"]
16361 verbs: ["update"]
16362- resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
16363 apiGroups: ["cert-manager.io"]
16364 verbs: ["get", "list", "watch"]
16365# We require these rules to support users with the OwnerReferencesPermissionEnforcement
16366# admission controller enabled:
16367# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
16368- resources: ["certificates/finalizers", "certificaterequests/finalizers"]
16369 apiGroups: ["cert-manager.io"]
16370 verbs: ["update"]
16371- resources: ["orders"]
16372 apiGroups: ["acme.cert-manager.io"]
16373 verbs: ["create", "delete", "get", "list", "watch"]
16374- resources: ["secrets"]
16375 apiGroups: [""]
16376 verbs: ["get", "list", "watch", "create", "update", "delete"]
16377- resources: ["events"]
16378 apiGroups: [""]
16379 verbs: ["create", "patch"]
16380---
16381# Source: cert-manager/templates/rbac.yaml
16382# Permission to:
16383# - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers
16384# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
16385apiVersion: rbac.authorization.k8s.io/v1
16386kind: ClusterRole
16387metadata:
16388 name: cert-manager-controller-certificatesigningrequests
16389 labels:
16390 app: cert-manager
16391 app.kubernetes.io/component: "cert-manager"
16392 app.kubernetes.io/instance: cert-manager
16393 app.kubernetes.io/name: cert-manager
16394 app.kubernetes.io/version: "v1.5.4"
16395 annotations:
16396 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
16397 pallet.edge.ncr.com/name: cert-manager
16398 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
16399 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
16400 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
16401 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
16402rules:
16403- resources: ["certificatesigningrequests"]
16404 apiGroups: ["certificates.k8s.io"]
16405 verbs: ["get", "list", "watch", "update"]
16406- resources: ["certificatesigningrequests/status"]
16407 apiGroups: ["certificates.k8s.io"]
16408 verbs: ["update"]
16409- resources: ["signers"]
16410 apiGroups: ["certificates.k8s.io"]
16411 resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
16412 verbs: ["sign"]
16413- resources: ["subjectaccessreviews"]
16414 apiGroups: ["authorization.k8s.io"]
16415 verbs: ["create"]
16416---
16417# Source: cert-manager/templates/rbac.yaml
16418# Challenges controller role
16419apiVersion: rbac.authorization.k8s.io/v1
16420kind: ClusterRole
16421metadata:
16422 name: cert-manager-controller-challenges
16423 labels:
16424 app: cert-manager
16425 app.kubernetes.io/component: "controller"
16426 app.kubernetes.io/instance: cert-manager
16427 app.kubernetes.io/name: cert-manager
16428 app.kubernetes.io/version: "v1.5.4"
16429 annotations:
16430 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
16431 pallet.edge.ncr.com/name: cert-manager
16432 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
16433 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
16434 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
16435 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
16436rules:
16437# Use to update challenge resource status
16438- resources: ["challenges", "challenges/status"]
16439 apiGroups: ["acme.cert-manager.io"]
16440 verbs: ["update"]
16441# Used to watch challenge resources
16442- resources: ["challenges"]
16443 apiGroups: ["acme.cert-manager.io"]
16444 verbs: ["get", "list", "watch"]
16445# Used to watch challenges, issuer and clusterissuer resources
16446- resources: ["issuers", "clusterissuers"]
16447 apiGroups: ["cert-manager.io"]
16448 verbs: ["get", "list", "watch"]
16449# Need to be able to retrieve ACME account private key to complete challenges
16450- resources: ["secrets"]
16451 apiGroups: [""]
16452 verbs: ["get", "list", "watch"]
16453# Used to create events
16454- resources: ["events"]
16455 apiGroups: [""]
16456 verbs: ["create", "patch"]
16457# HTTP01 rules
16458- resources: ["pods", "services"]
16459 apiGroups: [""]
16460 verbs: ["get", "list", "watch", "create", "delete"]
16461- resources: ["ingresses"]
16462 apiGroups: ["networking.k8s.io"]
16463 verbs: ["get", "list", "watch", "create", "delete", "update"]
16464- resources: ["httproutes"]
16465 apiGroups: ["networking.x-k8s.io"]
16466 verbs: ["get", "list", "watch", "create", "delete", "update"]
16467# We require the ability to specify a custom hostname when we are creating
16468# new ingress resources.
16469# See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
16470- resources: ["routes/custom-host"]
16471 apiGroups: ["route.openshift.io"]
16472 verbs: ["create"]
16473# We require these rules to support users with the OwnerReferencesPermissionEnforcement
16474# admission controller enabled:
16475# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
16476- resources: ["challenges/finalizers"]
16477 apiGroups: ["acme.cert-manager.io"]
16478 verbs: ["update"]
16479# DNS01 rules (duplicated above)
16480- resources: ["secrets"]
16481 apiGroups: [""]
16482 verbs: ["get", "list", "watch"]
16483---
16484# Source: cert-manager/templates/rbac.yaml
16485# ClusterIssuer controller role
16486apiVersion: rbac.authorization.k8s.io/v1
16487kind: ClusterRole
16488metadata:
16489 name: cert-manager-controller-clusterissuers
16490 labels:
16491 app: cert-manager
16492 app.kubernetes.io/component: "controller"
16493 app.kubernetes.io/instance: cert-manager
16494 app.kubernetes.io/name: cert-manager
16495 app.kubernetes.io/version: "v1.5.4"
16496 annotations:
16497 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
16498 pallet.edge.ncr.com/name: cert-manager
16499 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
16500 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
16501 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
16502 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
16503rules:
16504- resources: ["clusterissuers", "clusterissuers/status"]
16505 apiGroups: ["cert-manager.io"]
16506 verbs: ["update"]
16507- resources: ["clusterissuers"]
16508 apiGroups: ["cert-manager.io"]
16509 verbs: ["get", "list", "watch"]
16510- resources: ["secrets"]
16511 apiGroups: [""]
16512 verbs: ["get", "list", "watch", "create", "update", "delete"]
16513- resources: ["events"]
16514 apiGroups: [""]
16515 verbs: ["create", "patch"]
16516---
16517# Source: cert-manager/templates/rbac.yaml
16518# ingress-shim controller role
16519apiVersion: rbac.authorization.k8s.io/v1
16520kind: ClusterRole
16521metadata:
16522 name: cert-manager-controller-ingress-shim
16523 labels:
16524 app: cert-manager
16525 app.kubernetes.io/component: "controller"
16526 app.kubernetes.io/instance: cert-manager
16527 app.kubernetes.io/name: cert-manager
16528 app.kubernetes.io/version: "v1.5.4"
16529 annotations:
16530 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
16531 pallet.edge.ncr.com/name: cert-manager
16532 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
16533 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
16534 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
16535 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
16536rules:
16537- resources: ["certificates", "certificaterequests"]
16538 apiGroups: ["cert-manager.io"]
16539 verbs: ["create", "update", "delete"]
16540- resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
16541 apiGroups: ["cert-manager.io"]
16542 verbs: ["get", "list", "watch"]
16543- resources: ["ingresses"]
16544 apiGroups: ["networking.k8s.io"]
16545 verbs: ["get", "list", "watch"]
16546# We require these rules to support users with the OwnerReferencesPermissionEnforcement
16547# admission controller enabled:
16548# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
16549- resources: ["ingresses/finalizers"]
16550 apiGroups: ["networking.k8s.io"]
16551 verbs: ["update"]
16552- resources: ["gateways", "httproutes"]
16553 apiGroups: ["networking.x-k8s.io"]
16554 verbs: ["get", "list", "watch"]
16555- resources: ["gateways/finalizers", "httproutes/finalizers"]
16556 apiGroups: ["networking.x-k8s.io"]
16557 verbs: ["update"]
16558- resources: ["events"]
16559 apiGroups: [""]
16560 verbs: ["create", "patch"]
16561---
16562# Source: cert-manager/templates/rbac.yaml
16563# Issuer controller role
16564apiVersion: rbac.authorization.k8s.io/v1
16565kind: ClusterRole
16566metadata:
16567 name: cert-manager-controller-issuers
16568 labels:
16569 app: cert-manager
16570 app.kubernetes.io/component: "controller"
16571 app.kubernetes.io/instance: cert-manager
16572 app.kubernetes.io/name: cert-manager
16573 app.kubernetes.io/version: "v1.5.4"
16574 annotations:
16575 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
16576 pallet.edge.ncr.com/name: cert-manager
16577 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
16578 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
16579 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
16580 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
16581rules:
16582- resources: ["issuers", "issuers/status"]
16583 apiGroups: ["cert-manager.io"]
16584 verbs: ["update"]
16585- resources: ["issuers"]
16586 apiGroups: ["cert-manager.io"]
16587 verbs: ["get", "list", "watch"]
16588- resources: ["secrets"]
16589 apiGroups: [""]
16590 verbs: ["get", "list", "watch", "create", "update", "delete"]
16591- resources: ["events"]
16592 apiGroups: [""]
16593 verbs: ["create", "patch"]
16594---
16595# Source: cert-manager/templates/rbac.yaml
16596# Orders controller role
16597apiVersion: rbac.authorization.k8s.io/v1
16598kind: ClusterRole
16599metadata:
16600 name: cert-manager-controller-orders
16601 labels:
16602 app: cert-manager
16603 app.kubernetes.io/component: "controller"
16604 app.kubernetes.io/instance: cert-manager
16605 app.kubernetes.io/name: cert-manager
16606 app.kubernetes.io/version: "v1.5.4"
16607 annotations:
16608 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
16609 pallet.edge.ncr.com/name: cert-manager
16610 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
16611 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
16612 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
16613 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
16614rules:
16615- resources: ["orders", "orders/status"]
16616 apiGroups: ["acme.cert-manager.io"]
16617 verbs: ["update"]
16618- resources: ["orders", "challenges"]
16619 apiGroups: ["acme.cert-manager.io"]
16620 verbs: ["get", "list", "watch"]
16621- resources: ["clusterissuers", "issuers"]
16622 apiGroups: ["cert-manager.io"]
16623 verbs: ["get", "list", "watch"]
16624- resources: ["challenges"]
16625 apiGroups: ["acme.cert-manager.io"]
16626 verbs: ["create", "delete"]
16627# We require these rules to support users with the OwnerReferencesPermissionEnforcement
16628# admission controller enabled:
16629# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
16630- resources: ["orders/finalizers"]
16631 apiGroups: ["acme.cert-manager.io"]
16632 verbs: ["update"]
16633- resources: ["secrets"]
16634 apiGroups: [""]
16635 verbs: ["get", "list", "watch"]
16636- resources: ["events"]
16637 apiGroups: [""]
16638 verbs: ["create", "patch"]
16639---
16640# Source: cert-manager/templates/rbac.yaml
16641apiVersion: rbac.authorization.k8s.io/v1
16642kind: ClusterRole
16643metadata:
16644 name: cert-manager-edit
16645 labels:
16646 app: cert-manager
16647 app.kubernetes.io/component: "controller"
16648 app.kubernetes.io/instance: cert-manager
16649 app.kubernetes.io/name: cert-manager
16650 app.kubernetes.io/version: "v1.5.4"
16651 rbac.authorization.k8s.io/aggregate-to-admin: "true"
16652 rbac.authorization.k8s.io/aggregate-to-edit: "true"
16653 annotations:
16654 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
16655 pallet.edge.ncr.com/name: cert-manager
16656 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
16657 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
16658 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
16659 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
16660rules:
16661- resources: ["certificates", "certificaterequests", "issuers"]
16662 apiGroups: ["cert-manager.io"]
16663 verbs: ["create", "delete", "deletecollection", "patch", "update"]
16664- resources: ["challenges", "orders"]
16665 apiGroups: ["acme.cert-manager.io"]
16666 verbs: ["create", "delete", "deletecollection", "patch", "update"]
16667---
16668# Source: cert-manager/templates/rbac.yaml
16669apiVersion: rbac.authorization.k8s.io/v1
16670kind: ClusterRole
16671metadata:
16672 name: cert-manager-view
16673 labels:
16674 app: cert-manager
16675 app.kubernetes.io/component: "controller"
16676 app.kubernetes.io/instance: cert-manager
16677 app.kubernetes.io/name: cert-manager
16678 app.kubernetes.io/version: "v1.5.4"
16679 rbac.authorization.k8s.io/aggregate-to-admin: "true"
16680 rbac.authorization.k8s.io/aggregate-to-edit: "true"
16681 rbac.authorization.k8s.io/aggregate-to-view: "true"
16682 annotations:
16683 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
16684 pallet.edge.ncr.com/name: cert-manager
16685 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
16686 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
16687 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
16688 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
16689rules:
16690- resources: ["certificates", "certificaterequests", "issuers"]
16691 apiGroups: ["cert-manager.io"]
16692 verbs: ["get", "list", "watch"]
16693- resources: ["challenges", "orders"]
16694 apiGroups: ["acme.cert-manager.io"]
16695 verbs: ["get", "list", "watch"]
16696---
16697# Source: cert-manager/templates/webhook-rbac.yaml
16698apiVersion: rbac.authorization.k8s.io/v1
16699kind: ClusterRole
16700metadata:
16701 name: cert-manager-webhook:subjectaccessreviews
16702 labels:
16703 app: webhook
16704 app.kubernetes.io/component: "webhook"
16705 app.kubernetes.io/instance: cert-manager
16706 app.kubernetes.io/name: webhook
16707 app.kubernetes.io/version: "v1.5.4"
16708 annotations:
16709 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
16710 pallet.edge.ncr.com/name: cert-manager
16711 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
16712 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
16713 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
16714 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
16715rules:
16716- resources: ["subjectaccessreviews"]
16717 apiGroups: ["authorization.k8s.io"]
16718 verbs: ["create"]
16719---
16720# Source: cert-manager/templates/cainjector-rbac.yaml
16721# grant cert-manager permission to manage the leaderelection configmap in the
16722# leader election namespace
16723apiVersion: rbac.authorization.k8s.io/v1
16724kind: RoleBinding
16725metadata:
16726 name: cert-manager-cainjector:leaderelection
16727 namespace: cert-manager
16728 labels:
16729 app: cainjector
16730 app.kubernetes.io/component: "cainjector"
16731 app.kubernetes.io/instance: cert-manager
16732 app.kubernetes.io/name: cainjector
16733 app.kubernetes.io/version: "v1.5.4"
16734 annotations:
16735 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
16736 pallet.edge.ncr.com/name: cert-manager
16737 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
16738 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
16739 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
16740 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
16741roleRef:
16742 name: cert-manager-cainjector:leaderelection
16743 kind: Role
16744 apiGroup: rbac.authorization.k8s.io
16745subjects:
16746- name: cert-manager-cainjector
16747 namespace: cert-manager
16748 kind: ServiceAccount
16749---
16750# Source: cert-manager/templates/webhook-rbac.yaml
16751apiVersion: rbac.authorization.k8s.io/v1
16752kind: RoleBinding
16753metadata:
16754 name: cert-manager-webhook:dynamic-serving
16755 namespace: "cert-manager"
16756 labels:
16757 app: webhook
16758 app.kubernetes.io/component: "webhook"
16759 app.kubernetes.io/instance: cert-manager
16760 app.kubernetes.io/name: webhook
16761 app.kubernetes.io/version: "v1.5.4"
16762 annotations:
16763 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
16764 pallet.edge.ncr.com/name: cert-manager
16765 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
16766 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
16767 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
16768 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
16769roleRef:
16770 name: cert-manager-webhook:dynamic-serving
16771 kind: Role
16772 apiGroup: rbac.authorization.k8s.io
16773subjects:
16774- name: cert-manager-webhook
16775 namespace: cert-manager
16776 kind: ServiceAccount
16777 apiGroup: ""
16778---
16779# Source: cert-manager/templates/rbac.yaml
16780# grant cert-manager permission to manage the leaderelection configmap in the
16781# leader election namespace
16782apiVersion: rbac.authorization.k8s.io/v1
16783kind: RoleBinding
16784metadata:
16785 name: cert-manager:leaderelection
16786 namespace: cert-manager
16787 labels:
16788 app: cert-manager
16789 app.kubernetes.io/component: "controller"
16790 app.kubernetes.io/instance: cert-manager
16791 app.kubernetes.io/name: cert-manager
16792 app.kubernetes.io/version: "v1.5.4"
16793 annotations:
16794 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
16795 pallet.edge.ncr.com/name: cert-manager
16796 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
16797 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
16798 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
16799 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
16800roleRef:
16801 name: cert-manager:leaderelection
16802 kind: Role
16803 apiGroup: rbac.authorization.k8s.io
16804subjects:
16805- name: cert-manager
16806 namespace: cert-manager
16807 kind: ServiceAccount
16808 apiGroup: ""
16809---
16810# Source: cert-manager/templates/cainjector-rbac.yaml
16811apiVersion: rbac.authorization.k8s.io/v1
16812kind: ClusterRoleBinding
16813metadata:
16814 name: cert-manager-cainjector
16815 labels:
16816 app: cainjector
16817 app.kubernetes.io/component: "cainjector"
16818 app.kubernetes.io/instance: cert-manager
16819 app.kubernetes.io/name: cainjector
16820 app.kubernetes.io/version: "v1.5.4"
16821 annotations:
16822 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
16823 pallet.edge.ncr.com/name: cert-manager
16824 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
16825 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
16826 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
16827 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
16828roleRef:
16829 name: cert-manager-cainjector
16830 kind: ClusterRole
16831 apiGroup: rbac.authorization.k8s.io
16832subjects:
16833- name: cert-manager-cainjector
16834 namespace: "cert-manager"
16835 kind: ServiceAccount
16836---
16837# Source: cert-manager/templates/rbac.yaml
16838apiVersion: rbac.authorization.k8s.io/v1
16839kind: ClusterRoleBinding
16840metadata:
16841 name: cert-manager-controller-approve:cert-manager-io
16842 labels:
16843 app: cert-manager
16844 app.kubernetes.io/component: "cert-manager"
16845 app.kubernetes.io/instance: cert-manager
16846 app.kubernetes.io/name: cert-manager
16847 app.kubernetes.io/version: "v1.5.4"
16848 annotations:
16849 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
16850 pallet.edge.ncr.com/name: cert-manager
16851 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
16852 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
16853 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
16854 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
16855roleRef:
16856 name: cert-manager-controller-approve:cert-manager-io
16857 kind: ClusterRole
16858 apiGroup: rbac.authorization.k8s.io
16859subjects:
16860- name: cert-manager
16861 namespace: "cert-manager"
16862 kind: ServiceAccount
16863---
16864# Source: cert-manager/templates/rbac.yaml
16865apiVersion: rbac.authorization.k8s.io/v1
16866kind: ClusterRoleBinding
16867metadata:
16868 name: cert-manager-controller-certificates
16869 labels:
16870 app: cert-manager
16871 app.kubernetes.io/component: "controller"
16872 app.kubernetes.io/instance: cert-manager
16873 app.kubernetes.io/name: cert-manager
16874 app.kubernetes.io/version: "v1.5.4"
16875 annotations:
16876 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
16877 pallet.edge.ncr.com/name: cert-manager
16878 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
16879 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
16880 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
16881 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
16882roleRef:
16883 name: cert-manager-controller-certificates
16884 kind: ClusterRole
16885 apiGroup: rbac.authorization.k8s.io
16886subjects:
16887- name: cert-manager
16888 namespace: "cert-manager"
16889 kind: ServiceAccount
16890---
16891# Source: cert-manager/templates/rbac.yaml
16892apiVersion: rbac.authorization.k8s.io/v1
16893kind: ClusterRoleBinding
16894metadata:
16895 name: cert-manager-controller-certificatesigningrequests
16896 labels:
16897 app: cert-manager
16898 app.kubernetes.io/component: "cert-manager"
16899 app.kubernetes.io/instance: cert-manager
16900 app.kubernetes.io/name: cert-manager
16901 app.kubernetes.io/version: "v1.5.4"
16902 annotations:
16903 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
16904 pallet.edge.ncr.com/name: cert-manager
16905 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
16906 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
16907 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
16908 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
16909roleRef:
16910 name: cert-manager-controller-certificatesigningrequests
16911 kind: ClusterRole
16912 apiGroup: rbac.authorization.k8s.io
16913subjects:
16914- name: cert-manager
16915 namespace: "cert-manager"
16916 kind: ServiceAccount
16917---
16918# Source: cert-manager/templates/rbac.yaml
16919apiVersion: rbac.authorization.k8s.io/v1
16920kind: ClusterRoleBinding
16921metadata:
16922 name: cert-manager-controller-challenges
16923 labels:
16924 app: cert-manager
16925 app.kubernetes.io/component: "controller"
16926 app.kubernetes.io/instance: cert-manager
16927 app.kubernetes.io/name: cert-manager
16928 app.kubernetes.io/version: "v1.5.4"
16929 annotations:
16930 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
16931 pallet.edge.ncr.com/name: cert-manager
16932 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
16933 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
16934 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
16935 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
16936roleRef:
16937 name: cert-manager-controller-challenges
16938 kind: ClusterRole
16939 apiGroup: rbac.authorization.k8s.io
16940subjects:
16941- name: cert-manager
16942 namespace: "cert-manager"
16943 kind: ServiceAccount
16944---
16945# Source: cert-manager/templates/rbac.yaml
16946apiVersion: rbac.authorization.k8s.io/v1
16947kind: ClusterRoleBinding
16948metadata:
16949 name: cert-manager-controller-clusterissuers
16950 labels:
16951 app: cert-manager
16952 app.kubernetes.io/component: "controller"
16953 app.kubernetes.io/instance: cert-manager
16954 app.kubernetes.io/name: cert-manager
16955 app.kubernetes.io/version: "v1.5.4"
16956 annotations:
16957 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
16958 pallet.edge.ncr.com/name: cert-manager
16959 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
16960 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
16961 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
16962 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
16963roleRef:
16964 name: cert-manager-controller-clusterissuers
16965 kind: ClusterRole
16966 apiGroup: rbac.authorization.k8s.io
16967subjects:
16968- name: cert-manager
16969 namespace: "cert-manager"
16970 kind: ServiceAccount
16971---
16972# Source: cert-manager/templates/rbac.yaml
16973apiVersion: rbac.authorization.k8s.io/v1
16974kind: ClusterRoleBinding
16975metadata:
16976 name: cert-manager-controller-ingress-shim
16977 labels:
16978 app: cert-manager
16979 app.kubernetes.io/component: "controller"
16980 app.kubernetes.io/instance: cert-manager
16981 app.kubernetes.io/name: cert-manager
16982 app.kubernetes.io/version: "v1.5.4"
16983 annotations:
16984 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
16985 pallet.edge.ncr.com/name: cert-manager
16986 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
16987 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
16988 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
16989 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
16990roleRef:
16991 name: cert-manager-controller-ingress-shim
16992 kind: ClusterRole
16993 apiGroup: rbac.authorization.k8s.io
16994subjects:
16995- name: cert-manager
16996 namespace: "cert-manager"
16997 kind: ServiceAccount
16998---
16999# Source: cert-manager/templates/rbac.yaml
17000apiVersion: rbac.authorization.k8s.io/v1
17001kind: ClusterRoleBinding
17002metadata:
17003 name: cert-manager-controller-issuers
17004 labels:
17005 app: cert-manager
17006 app.kubernetes.io/component: "controller"
17007 app.kubernetes.io/instance: cert-manager
17008 app.kubernetes.io/name: cert-manager
17009 app.kubernetes.io/version: "v1.5.4"
17010 annotations:
17011 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
17012 pallet.edge.ncr.com/name: cert-manager
17013 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
17014 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
17015 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
17016 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
17017roleRef:
17018 name: cert-manager-controller-issuers
17019 kind: ClusterRole
17020 apiGroup: rbac.authorization.k8s.io
17021subjects:
17022- name: cert-manager
17023 namespace: "cert-manager"
17024 kind: ServiceAccount
17025---
17026# Source: cert-manager/templates/rbac.yaml
17027apiVersion: rbac.authorization.k8s.io/v1
17028kind: ClusterRoleBinding
17029metadata:
17030 name: cert-manager-controller-orders
17031 labels:
17032 app: cert-manager
17033 app.kubernetes.io/component: "controller"
17034 app.kubernetes.io/instance: cert-manager
17035 app.kubernetes.io/name: cert-manager
17036 app.kubernetes.io/version: "v1.5.4"
17037 annotations:
17038 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
17039 pallet.edge.ncr.com/name: cert-manager
17040 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
17041 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
17042 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
17043 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
17044roleRef:
17045 name: cert-manager-controller-orders
17046 kind: ClusterRole
17047 apiGroup: rbac.authorization.k8s.io
17048subjects:
17049- name: cert-manager
17050 namespace: "cert-manager"
17051 kind: ServiceAccount
17052---
17053# Source: cert-manager/templates/webhook-rbac.yaml
17054apiVersion: rbac.authorization.k8s.io/v1
17055kind: ClusterRoleBinding
17056metadata:
17057 name: cert-manager-webhook:subjectaccessreviews
17058 labels:
17059 app: webhook
17060 app.kubernetes.io/component: "webhook"
17061 app.kubernetes.io/instance: cert-manager
17062 app.kubernetes.io/name: webhook
17063 app.kubernetes.io/version: "v1.5.4"
17064 annotations:
17065 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
17066 pallet.edge.ncr.com/name: cert-manager
17067 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
17068 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
17069 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
17070 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
17071roleRef:
17072 name: cert-manager-webhook:subjectaccessreviews
17073 kind: ClusterRole
17074 apiGroup: rbac.authorization.k8s.io
17075subjects:
17076- name: cert-manager-webhook
17077 namespace: cert-manager
17078 kind: ServiceAccount
17079 apiGroup: ""
17080---
17081# Source: cert-manager/templates/service.yaml
17082apiVersion: v1
17083kind: Service
17084metadata:
17085 name: cert-manager
17086 namespace: "cert-manager"
17087 labels:
17088 app: cert-manager
17089 app.kubernetes.io/component: "controller"
17090 app.kubernetes.io/instance: cert-manager
17091 app.kubernetes.io/name: cert-manager
17092 app.kubernetes.io/version: "v1.5.4"
17093 annotations:
17094 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
17095 pallet.edge.ncr.com/name: cert-manager
17096 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
17097 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
17098 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
17099 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
17100spec:
17101 type: ClusterIP
17102 selector:
17103 app.kubernetes.io/component: "controller"
17104 app.kubernetes.io/instance: cert-manager
17105 app.kubernetes.io/name: cert-manager
17106 ports:
17107 - name: tcp-prometheus-servicemonitor
17108 protocol: TCP
17109 port: 9402
17110 targetPort: 9402
17111---
17112# Source: cert-manager/templates/webhook-service.yaml
17113apiVersion: v1
17114kind: Service
17115metadata:
17116 name: cert-manager-webhook
17117 namespace: "cert-manager"
17118 labels:
17119 app: webhook
17120 app.kubernetes.io/component: "webhook"
17121 app.kubernetes.io/instance: cert-manager
17122 app.kubernetes.io/name: webhook
17123 app.kubernetes.io/version: "v1.5.4"
17124 annotations:
17125 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
17126 pallet.edge.ncr.com/name: cert-manager
17127 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
17128 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
17129 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
17130 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
17131spec:
17132 type: ClusterIP
17133 selector:
17134 app.kubernetes.io/component: "webhook"
17135 app.kubernetes.io/instance: cert-manager
17136 app.kubernetes.io/name: webhook
17137 ports:
17138 - name: https
17139 protocol: TCP
17140 port: 443
17141 targetPort: 10250
17142---
17143apiVersion: apps/v1
17144kind: Deployment
17145metadata:
17146 labels:
17147 app: cert-manager
17148 app.kubernetes.io/component: controller
17149 app.kubernetes.io/instance: cert-manager
17150 app.kubernetes.io/name: cert-manager
17151 app.kubernetes.io/version: v1.5.4
17152 name: cert-manager
17153 namespace: cert-manager
17154 annotations:
17155 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
17156 pallet.edge.ncr.com/name: cert-manager
17157 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
17158 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
17159 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
17160 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
17161spec:
17162 replicas: 1
17163 selector:
17164 matchLabels:
17165 app.kubernetes.io/component: controller
17166 app.kubernetes.io/instance: cert-manager
17167 app.kubernetes.io/name: cert-manager
17168 template:
17169 metadata:
17170 annotations:
17171 prometheus.io/path: /metrics
17172 prometheus.io/port: "9402"
17173 prometheus.io/scrape: "true"
17174 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
17175 pallet.edge.ncr.com/name: cert-manager
17176 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
17177 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
17178 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
17179 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
17180 labels:
17181 app: cert-manager
17182 app.kubernetes.io/component: controller
17183 app.kubernetes.io/instance: cert-manager
17184 app.kubernetes.io/name: cert-manager
17185 app.kubernetes.io/version: v1.5.4
17186 spec:
17187 affinity:
17188 nodeAffinity:
17189 preferredDuringSchedulingIgnoredDuringExecution:
17190 - preference:
17191 matchExpressions:
17192 - key: node.ncr.com/class
17193 operator: In
17194 values:
17195 - server
17196 weight: 100
17197 containers:
17198 - args:
17199 - --v=2
17200 - --cluster-resource-namespace=$(POD_NAMESPACE)
17201 - --leader-election-namespace=cert-manager
17202 env:
17203 - name: POD_NAMESPACE
17204 valueFrom:
17205 fieldRef:
17206 fieldPath: metadata.namespace
17207 image: quay.io/jetstack/cert-manager-controller:v1.5.4
17208 imagePullPolicy: IfNotPresent
17209 name: cert-manager
17210 ports:
17211 - containerPort: 9402
17212 protocol: TCP
17213 resources: {}
17214 securityContext:
17215 runAsNonRoot: true
17216 serviceAccountName: cert-manager
17217---
17218apiVersion: apps/v1
17219kind: Deployment
17220metadata:
17221 labels:
17222 app: cainjector
17223 app.kubernetes.io/component: cainjector
17224 app.kubernetes.io/instance: cert-manager
17225 app.kubernetes.io/name: cainjector
17226 app.kubernetes.io/version: v1.5.4
17227 name: cert-manager-cainjector
17228 namespace: cert-manager
17229 annotations:
17230 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
17231 pallet.edge.ncr.com/name: cert-manager
17232 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
17233 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
17234 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
17235 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
17236spec:
17237 replicas: 1
17238 selector:
17239 matchLabels:
17240 app.kubernetes.io/component: cainjector
17241 app.kubernetes.io/instance: cert-manager
17242 app.kubernetes.io/name: cainjector
17243 template:
17244 metadata:
17245 labels:
17246 app: cainjector
17247 app.kubernetes.io/component: cainjector
17248 app.kubernetes.io/instance: cert-manager
17249 app.kubernetes.io/name: cainjector
17250 app.kubernetes.io/version: v1.5.4
17251 annotations:
17252 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
17253 pallet.edge.ncr.com/name: cert-manager
17254 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
17255 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
17256 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
17257 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
17258 spec:
17259 affinity:
17260 nodeAffinity:
17261 preferredDuringSchedulingIgnoredDuringExecution:
17262 - preference:
17263 matchExpressions:
17264 - key: node.ncr.com/class
17265 operator: In
17266 values:
17267 - server
17268 weight: 100
17269 containers:
17270 - args:
17271 - --v=2
17272 - --leader-election-namespace=cert-manager
17273 env:
17274 - name: POD_NAMESPACE
17275 valueFrom:
17276 fieldRef:
17277 fieldPath: metadata.namespace
17278 image: quay.io/jetstack/cert-manager-cainjector:v1.5.4
17279 imagePullPolicy: IfNotPresent
17280 name: cert-manager
17281 resources: {}
17282 securityContext:
17283 runAsNonRoot: true
17284 serviceAccountName: cert-manager-cainjector
17285---
17286# Source: cert-manager/templates/webhook-deployment.yaml
17287apiVersion: apps/v1
17288kind: Deployment
17289metadata:
17290 name: cert-manager-webhook
17291 namespace: "cert-manager"
17292 labels:
17293 app: webhook
17294 app.kubernetes.io/component: "webhook"
17295 app.kubernetes.io/instance: cert-manager
17296 app.kubernetes.io/name: webhook
17297 app.kubernetes.io/version: "v1.5.4"
17298 annotations:
17299 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
17300 pallet.edge.ncr.com/name: cert-manager
17301 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
17302 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
17303 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
17304 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
17305spec:
17306 replicas: 1
17307 selector:
17308 matchLabels:
17309 app.kubernetes.io/component: "webhook"
17310 app.kubernetes.io/instance: cert-manager
17311 app.kubernetes.io/name: webhook
17312 template:
17313 metadata:
17314 labels:
17315 app: webhook
17316 app.kubernetes.io/component: "webhook"
17317 app.kubernetes.io/instance: cert-manager
17318 app.kubernetes.io/name: webhook
17319 app.kubernetes.io/version: "v1.5.4"
17320 annotations:
17321 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
17322 pallet.edge.ncr.com/name: cert-manager
17323 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
17324 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
17325 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
17326 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
17327 spec:
17328 serviceAccountName: cert-manager-webhook
17329 containers:
17330 - name: cert-manager
17331 image: "quay.io/jetstack/cert-manager-webhook:v1.5.4"
17332 args:
17333 - --v=2
17334 - --secure-port=10250
17335 - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
17336 - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
17337 - --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc
17338 ports:
17339 - name: https
17340 protocol: TCP
17341 containerPort: 10250
17342 env:
17343 - name: POD_NAMESPACE
17344 valueFrom:
17345 fieldRef:
17346 fieldPath: metadata.namespace
17347 resources: {}
17348 livenessProbe:
17349 failureThreshold: 3
17350 httpGet:
17351 port: 6080
17352 path: /livez
17353 scheme: HTTP
17354 initialDelaySeconds: 60
17355 periodSeconds: 10
17356 successThreshold: 1
17357 timeoutSeconds: 1
17358 readinessProbe:
17359 failureThreshold: 3
17360 httpGet:
17361 port: 6080
17362 path: /healthz
17363 scheme: HTTP
17364 initialDelaySeconds: 5
17365 periodSeconds: 5
17366 successThreshold: 1
17367 timeoutSeconds: 1
17368 imagePullPolicy: IfNotPresent
17369 securityContext:
17370 runAsNonRoot: true
17371 affinity:
17372 nodeAffinity:
17373 preferredDuringSchedulingIgnoredDuringExecution:
17374 - weight: 100
17375 preference:
17376 matchExpressions:
17377 - key: node.ncr.com/class
17378 operator: In
17379 values:
17380 - server
17381---
17382# Source: cert-manager/templates/webhook-mutating-webhook.yaml
17383apiVersion: admissionregistration.k8s.io/v1
17384kind: MutatingWebhookConfiguration
17385metadata:
17386 name: cert-manager-webhook
17387 labels:
17388 app: webhook
17389 app.kubernetes.io/component: "webhook"
17390 app.kubernetes.io/instance: cert-manager
17391 app.kubernetes.io/name: webhook
17392 app.kubernetes.io/version: "v1.5.4"
17393 annotations:
17394 cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
17395 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
17396 pallet.edge.ncr.com/name: cert-manager
17397 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
17398 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
17399 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
17400 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
17401webhooks:
17402- name: webhook.cert-manager.io
17403 # We don't actually support `v1beta1` but is listed here as it is a
17404 # required value for
17405 # [Kubernetes v1.16](https://github.com/kubernetes/kubernetes/issues/82025).
17406 # The API server reads the supported versions in order, so _should always_
17407 # attempt a `v1` request which is understood by the cert-manager webhook.
17408 # Any `v1beta1` request will return an error and fail closed for that
17409 # resource (the whole object request is rejected). When we no longer
17410 # support v1.16 we can remove `v1beta1` from this list.
17411 admissionReviewVersions: ["v1", "v1beta1"]
17412 clientConfig:
17413 service:
17414 name: cert-manager-webhook
17415 namespace: "cert-manager"
17416 path: /mutate
17417 failurePolicy: Fail
17418 # This webhook only accepts v1 cert-manager resources.
17419 # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
17420 # this webhook (after the resources have been converted to v1).
17421 matchPolicy: Equivalent
17422 rules:
17423 - resources:
17424 - "*/*"
17425 apiGroups:
17426 - "cert-manager.io"
17427 - "acme.cert-manager.io"
17428 apiVersions:
17429 - "v1"
17430 operations:
17431 - CREATE
17432 - UPDATE
17433 # Only include 'sideEffects' field in Kubernetes 1.12+
17434 sideEffects: None
17435 timeoutSeconds: 10
17436---
17437# Source: cert-manager/templates/webhook-validating-webhook.yaml
17438apiVersion: admissionregistration.k8s.io/v1
17439kind: ValidatingWebhookConfiguration
17440metadata:
17441 name: cert-manager-webhook
17442 labels:
17443 app: webhook
17444 app.kubernetes.io/component: "webhook"
17445 app.kubernetes.io/instance: cert-manager
17446 app.kubernetes.io/name: webhook
17447 app.kubernetes.io/version: "v1.5.4"
17448 annotations:
17449 cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
17450 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
17451 pallet.edge.ncr.com/name: cert-manager
17452 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
17453 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
17454 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
17455 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
17456webhooks:
17457- name: webhook.cert-manager.io
17458 # We don't actually support `v1beta1` but is listed here as it is a
17459 # required value for
17460 # [Kubernetes v1.16](https://github.com/kubernetes/kubernetes/issues/82025).
17461 # The API server reads the supported versions in order, so _should always_
17462 # attempt a `v1` request which is understood by the cert-manager webhook.
17463 # Any `v1beta1` request will return an error and fail closed for that
17464 # resource (the whole object request is rejected). When we no longer
17465 # support v1.16 we can remove `v1beta1` from this list.
17466 admissionReviewVersions: ["v1", "v1beta1"]
17467 clientConfig:
17468 service:
17469 name: cert-manager-webhook
17470 namespace: "cert-manager"
17471 path: /validate
17472 failurePolicy: Fail
17473 # This webhook only accepts v1 cert-manager resources.
17474 # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
17475 # this webhook (after the resources have been converted to v1).
17476 matchPolicy: Equivalent
17477 namespaceSelector:
17478 matchExpressions:
17479 - key: "cert-manager.io/disable-validation"
17480 operator: "NotIn"
17481 values:
17482 - "true"
17483 - key: "name"
17484 operator: "NotIn"
17485 values:
17486 - cert-manager
17487 rules:
17488 - resources:
17489 - "*/*"
17490 apiGroups:
17491 - "cert-manager.io"
17492 - "acme.cert-manager.io"
17493 apiVersions:
17494 - "v1"
17495 operations:
17496 - CREATE
17497 - UPDATE
17498 sideEffects: None
17499 timeoutSeconds: 10
View as plain text