Gitiles
Code Review Sign In
gerrit.nordix.org / oransc / oam / f6a8d45e088d9588afa21bbed7470e390337584f / . / solution_k8s / infrastructure / addons / cert-manager / cert-manager.v1.12.0.yaml
blob: 4ec9a07e7b2a5884b8bafdc9b445d9468d30b3f1 [file] [log] [blame]
Alex Dehnf6a8d452024-09-26 07:14:30 +0000[diff] [blame^]1# Copyright 2022 The cert-manager Authors.
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15apiVersion: v1
16kind: Namespace
17metadata:
18 name: cert-manager
19---
20# Source: cert-manager/templates/crds.yaml
21apiVersion: apiextensions.k8s.io/v1
22kind: CustomResourceDefinition
23metadata:
24 name: certificaterequests.cert-manager.io
25 labels:
26 app: 'cert-manager'
27 app.kubernetes.io/name: 'cert-manager'
28 app.kubernetes.io/instance: 'cert-manager'
29 # Generated labels
30 app.kubernetes.io/version: "v1.12.0"
31spec:
32 group: cert-manager.io
33 names:
34 kind: CertificateRequest
35 listKind: CertificateRequestList
36 plural: certificaterequests
37 shortNames:
38 - cr
39 - crs
40 singular: certificaterequest
41 categories:
42 - cert-manager
43 scope: Namespaced
44 versions:
45 - name: v1
46 subresources:
47 status: {}
48 additionalPrinterColumns:
49 - jsonPath: .status.conditions[?(@.type=="Approved")].status
50 name: Approved
51 type: string
52 - jsonPath: .status.conditions[?(@.type=="Denied")].status
53 name: Denied
54 type: string
55 - jsonPath: .status.conditions[?(@.type=="Ready")].status
56 name: Ready
57 type: string
58 - jsonPath: .spec.issuerRef.name
59 name: Issuer
60 type: string
61 - jsonPath: .spec.username
62 name: Requestor
63 type: string
64 - jsonPath: .status.conditions[?(@.type=="Ready")].message
65 name: Status
66 priority: 1
67 type: string
68 - jsonPath: .metadata.creationTimestamp
69 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
70 name: Age
71 type: date
72 schema:
73 openAPIV3Schema:
74 description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used."
75 type: object
76 required:
77 - spec
78 properties:
79 apiVersion:
80 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
81 type: string
82 kind:
83 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
84 type: string
85 metadata:
86 type: object
87 spec:
88 description: Desired state of the CertificateRequest resource.
89 type: object
90 required:
91 - issuerRef
92 - request
93 properties:
94 duration:
95 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types.
96 type: string
97 extra:
98 description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
99 type: object
100 additionalProperties:
101 type: array
102 items:
103 type: string
104 groups:
105 description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
106 type: array
107 items:
108 type: string
109 x-kubernetes-list-type: atomic
110 isCA:
111 description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`.
112 type: boolean
113 issuerRef:
114 description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty.
115 type: object
116 required:
117 - name
118 properties:
119 group:
120 description: Group of the resource being referred to.
121 type: string
122 kind:
123 description: Kind of the resource being referred to.
124 type: string
125 name:
126 description: Name of the resource being referred to.
127 type: string
128 request:
129 description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing.
130 type: string
131 format: byte
132 uid:
133 description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
134 type: string
135 usages:
136 description: Usages is the set of x509 usages that are requested for the certificate. If usages are set they SHOULD be encoded inside the CSR spec Defaults to `digital signature` and `key encipherment` if not specified.
137 type: array
138 items:
139 description: "KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 \n Valid KeyUsage values are as follows: \"signing\", \"digital signature\", \"content commitment\", \"key encipherment\", \"key agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", \"encipher only\", \"decipher only\", \"any\", \"server auth\", \"client auth\", \"code signing\", \"email protection\", \"s/mime\", \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\""
140 type: string
141 enum:
142 - signing
143 - digital signature
144 - content commitment
145 - key encipherment
146 - key agreement
147 - data encipherment
148 - cert sign
149 - crl sign
150 - encipher only
151 - decipher only
152 - any
153 - server auth
154 - client auth
155 - code signing
156 - email protection
157 - s/mime
158 - ipsec end system
159 - ipsec tunnel
160 - ipsec user
161 - timestamping
162 - ocsp signing
163 - microsoft sgc
164 - netscape sgc
165 username:
166 description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
167 type: string
168 status:
169 description: Status of the CertificateRequest. This is set and managed automatically.
170 type: object
171 properties:
172 ca:
173 description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.
174 type: string
175 format: byte
176 certificate:
177 description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.
178 type: string
179 format: byte
180 conditions:
181 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
182 type: array
183 items:
184 description: CertificateRequestCondition contains condition information for a CertificateRequest.
185 type: object
186 required:
187 - status
188 - type
189 properties:
190 lastTransitionTime:
191 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
192 type: string
193 format: date-time
194 message:
195 description: Message is a human readable description of the details of the last transition, complementing reason.
196 type: string
197 reason:
198 description: Reason is a brief machine readable explanation for the condition's last transition.
199 type: string
200 status:
201 description: Status of the condition, one of (`True`, `False`, `Unknown`).
202 type: string
203 enum:
204 - "True"
205 - "False"
206 - Unknown
207 type:
208 description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
209 type: string
210 x-kubernetes-list-map-keys:
211 - type
212 x-kubernetes-list-type: map
213 failureTime:
214 description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
215 type: string
216 format: date-time
217 served: true
218 storage: true
219---
220# Source: cert-manager/templates/crds.yaml
221apiVersion: apiextensions.k8s.io/v1
222kind: CustomResourceDefinition
223metadata:
224 name: certificates.cert-manager.io
225 labels:
226 app: 'cert-manager'
227 app.kubernetes.io/name: 'cert-manager'
228 app.kubernetes.io/instance: 'cert-manager'
229 # Generated labels
230 app.kubernetes.io/version: "v1.12.0"
231spec:
232 group: cert-manager.io
233 names:
234 kind: Certificate
235 listKind: CertificateList
236 plural: certificates
237 shortNames:
238 - cert
239 - certs
240 singular: certificate
241 categories:
242 - cert-manager
243 scope: Namespaced
244 versions:
245 - name: v1
246 subresources:
247 status: {}
248 additionalPrinterColumns:
249 - jsonPath: .status.conditions[?(@.type=="Ready")].status
250 name: Ready
251 type: string
252 - jsonPath: .spec.secretName
253 name: Secret
254 type: string
255 - jsonPath: .spec.issuerRef.name
256 name: Issuer
257 priority: 1
258 type: string
259 - jsonPath: .status.conditions[?(@.type=="Ready")].message
260 name: Status
261 priority: 1
262 type: string
263 - jsonPath: .metadata.creationTimestamp
264 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
265 name: Age
266 type: date
267 schema:
268 openAPIV3Schema:
269 description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)."
270 type: object
271 required:
272 - spec
273 properties:
274 apiVersion:
275 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
276 type: string
277 kind:
278 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
279 type: string
280 metadata:
281 type: object
282 spec:
283 description: Desired state of the Certificate resource.
284 type: object
285 required:
286 - issuerRef
287 - secretName
288 properties:
289 additionalOutputFormats:
290 description: AdditionalOutputFormats defines extra output formats of the private key and signed certificate chain to be written to this Certificate's target Secret. This is an Alpha Feature and is only enabled with the `--feature-gates=AdditionalCertificateOutputFormats=true` option on both the controller and webhook components.
291 type: array
292 items:
293 description: CertificateAdditionalOutputFormat defines an additional output format of a Certificate resource. These contain supplementary data formats of the signed certificate chain and paired private key.
294 type: object
295 required:
296 - type
297 properties:
298 type:
299 description: Type is the name of the format type that should be written to the Certificate's target Secret.
300 type: string
301 enum:
302 - DER
303 - CombinedPEM
304 commonName:
305 description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
306 type: string
307 dnsNames:
308 description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate.
309 type: array
310 items:
311 type: string
312 duration:
313 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
314 type: string
315 emailAddresses:
316 description: EmailAddresses is a list of email subjectAltNames to be set on the Certificate.
317 type: array
318 items:
319 type: string
320 encodeUsagesInRequest:
321 description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest
322 type: boolean
323 ipAddresses:
324 description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
325 type: array
326 items:
327 type: string
328 isCA:
329 description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`.
330 type: boolean
331 issuerRef:
332 description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times.
333 type: object
334 required:
335 - name
336 properties:
337 group:
338 description: Group of the resource being referred to.
339 type: string
340 kind:
341 description: Kind of the resource being referred to.
342 type: string
343 name:
344 description: Name of the resource being referred to.
345 type: string
346 keystores:
347 description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource.
348 type: object
349 properties:
350 jks:
351 description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource.
352 type: object
353 required:
354 - create
355 - passwordSecretRef
356 properties:
357 create:
358 description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will be updated immediately. If the issuer provided a CA certificate, a file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority
359 type: boolean
360 passwordSecretRef:
361 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore.
362 type: object
363 required:
364 - name
365 properties:
366 key:
367 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
368 type: string
369 name:
370 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
371 type: string
372 pkcs12:
373 description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource.
374 type: object
375 required:
376 - create
377 - passwordSecretRef
378 properties:
379 create:
380 description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will be updated immediately. If the issuer provided a CA certificate, a file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority
381 type: boolean
382 passwordSecretRef:
383 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore.
384 type: object
385 required:
386 - name
387 properties:
388 key:
389 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
390 type: string
391 name:
392 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
393 type: string
394 literalSubject:
395 description: LiteralSubject is an LDAP formatted string that represents the [X.509 Subject field](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6). Use this *instead* of the Subject field if you need to ensure the correct ordering of the RDN sequence, such as when issuing certs for LDAP authentication. See https://github.com/cert-manager/cert-manager/issues/3203, https://github.com/cert-manager/cert-manager/issues/4424. This field is alpha level and is only supported by cert-manager installations where LiteralCertificateSubject feature gate is enabled on both cert-manager controller and webhook.
396 type: string
397 privateKey:
398 description: Options to control private keys used for the Certificate.
399 type: object
400 properties:
401 algorithm:
402 description: Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified and `size` is not provided, key size of 256 will be used for `ECDSA` key algorithm and key size of 2048 will be used for `RSA` key algorithm. key size is ignored when using the `Ed25519` key algorithm.
403 type: string
404 enum:
405 - RSA
406 - ECDSA
407 - Ed25519
408 encoding:
409 description: The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified.
410 type: string
411 enum:
412 - PKCS1
413 - PKCS8
414 rotationPolicy:
415 description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility.
416 type: string
417 enum:
418 - Never
419 - Always
420 size:
421 description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed.
422 type: integer
423 renewBefore:
424 description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
425 type: string
426 revisionHistoryLimit:
427 description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`.
428 type: integer
429 format: int32
430 secretName:
431 description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer.
432 type: string
433 secretTemplate:
434 description: SecretTemplate defines annotations and labels to be copied to the Certificate's Secret. Labels and annotations on the Secret will be changed as they appear on the SecretTemplate when added or removed. SecretTemplate annotations are added in conjunction with, and cannot overwrite, the base set of annotations cert-manager sets on the Certificate's Secret.
435 type: object
436 properties:
437 annotations:
438 description: Annotations is a key value map to be copied to the target Kubernetes Secret.
439 type: object
440 additionalProperties:
441 type: string
442 labels:
443 description: Labels is a key value map to be copied to the target Kubernetes Secret.
444 type: object
445 additionalProperties:
446 type: string
447 subject:
448 description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
449 type: object
450 properties:
451 countries:
452 description: Countries to be used on the Certificate.
453 type: array
454 items:
455 type: string
456 localities:
457 description: Cities to be used on the Certificate.
458 type: array
459 items:
460 type: string
461 organizationalUnits:
462 description: Organizational Units to be used on the Certificate.
463 type: array
464 items:
465 type: string
466 organizations:
467 description: Organizations to be used on the Certificate.
468 type: array
469 items:
470 type: string
471 postalCodes:
472 description: Postal codes to be used on the Certificate.
473 type: array
474 items:
475 type: string
476 provinces:
477 description: State/Provinces to be used on the Certificate.
478 type: array
479 items:
480 type: string
481 serialNumber:
482 description: Serial number to be used on the Certificate.
483 type: string
484 streetAddresses:
485 description: Street addresses to be used on the Certificate.
486 type: array
487 items:
488 type: string
489 uris:
490 description: URIs is a list of URI subjectAltNames to be set on the Certificate.
491 type: array
492 items:
493 type: string
494 usages:
495 description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
496 type: array
497 items:
498 description: "KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 \n Valid KeyUsage values are as follows: \"signing\", \"digital signature\", \"content commitment\", \"key encipherment\", \"key agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", \"encipher only\", \"decipher only\", \"any\", \"server auth\", \"client auth\", \"code signing\", \"email protection\", \"s/mime\", \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\""
499 type: string
500 enum:
501 - signing
502 - digital signature
503 - content commitment
504 - key encipherment
505 - key agreement
506 - data encipherment
507 - cert sign
508 - crl sign
509 - encipher only
510 - decipher only
511 - any
512 - server auth
513 - client auth
514 - code signing
515 - email protection
516 - s/mime
517 - ipsec end system
518 - ipsec tunnel
519 - ipsec user
520 - timestamping
521 - ocsp signing
522 - microsoft sgc
523 - netscape sgc
524 status:
525 description: Status of the Certificate. This is set and managed automatically.
526 type: object
527 properties:
528 conditions:
529 description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`.
530 type: array
531 items:
532 description: CertificateCondition contains condition information for an Certificate.
533 type: object
534 required:
535 - status
536 - type
537 properties:
538 lastTransitionTime:
539 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
540 type: string
541 format: date-time
542 message:
543 description: Message is a human readable description of the details of the last transition, complementing reason.
544 type: string
545 observedGeneration:
546 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate.
547 type: integer
548 format: int64
549 reason:
550 description: Reason is a brief machine readable explanation for the condition's last transition.
551 type: string
552 status:
553 description: Status of the condition, one of (`True`, `False`, `Unknown`).
554 type: string
555 enum:
556 - "True"
557 - "False"
558 - Unknown
559 type:
560 description: Type of the condition, known values are (`Ready`, `Issuing`).
561 type: string
562 x-kubernetes-list-map-keys:
563 - type
564 x-kubernetes-list-type: map
565 failedIssuanceAttempts:
566 description: The number of continuous failed issuance attempts up till now. This field gets removed (if set) on a successful issuance and gets set to 1 if unset and an issuance has failed. If an issuance has failed, the delay till the next issuance will be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1).
567 type: integer
568 lastFailureTime:
569 description: LastFailureTime is set only if the lastest issuance for this Certificate failed and contains the time of the failure. If an issuance has failed, the delay till the next issuance will be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1). If the latest issuance has succeeded this field will be unset.
570 type: string
571 format: date-time
572 nextPrivateKeySecretName:
573 description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False.
574 type: string
575 notAfter:
576 description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`.
577 type: string
578 format: date-time
579 notBefore:
580 description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid.
581 type: string
582 format: date-time
583 renewalTime:
584 description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled.
585 type: string
586 format: date-time
587 revision:
588 description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field."
589 type: integer
590 served: true
591 storage: true
592---
593# Source: cert-manager/templates/crds.yaml
594apiVersion: apiextensions.k8s.io/v1
595kind: CustomResourceDefinition
596metadata:
597 name: challenges.acme.cert-manager.io
598 labels:
599 app: 'cert-manager'
600 app.kubernetes.io/name: 'cert-manager'
601 app.kubernetes.io/instance: 'cert-manager'
602 # Generated labels
603 app.kubernetes.io/version: "v1.12.0"
604spec:
605 group: acme.cert-manager.io
606 names:
607 kind: Challenge
608 listKind: ChallengeList
609 plural: challenges
610 singular: challenge
611 categories:
612 - cert-manager
613 - cert-manager-acme
614 scope: Namespaced
615 versions:
616 - additionalPrinterColumns:
617 - jsonPath: .status.state
618 name: State
619 type: string
620 - jsonPath: .spec.dnsName
621 name: Domain
622 type: string
623 - jsonPath: .status.reason
624 name: Reason
625 priority: 1
626 type: string
627 - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
628 jsonPath: .metadata.creationTimestamp
629 name: Age
630 type: date
631 name: v1
632 schema:
633 openAPIV3Schema:
634 description: Challenge is a type to represent a Challenge request with an ACME server
635 type: object
636 required:
637 - metadata
638 - spec
639 properties:
640 apiVersion:
641 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
642 type: string
643 kind:
644 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
645 type: string
646 metadata:
647 type: object
648 spec:
649 type: object
650 required:
651 - authorizationURL
652 - dnsName
653 - issuerRef
654 - key
655 - solver
656 - token
657 - type
658 - url
659 properties:
660 authorizationURL:
661 description: The URL to the ACME Authorization resource that this challenge is a part of.
662 type: string
663 dnsName:
664 description: dnsName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
665 type: string
666 issuerRef:
667 description: References a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed.
668 type: object
669 required:
670 - name
671 properties:
672 group:
673 description: Group of the resource being referred to.
674 type: string
675 kind:
676 description: Kind of the resource being referred to.
677 type: string
678 name:
679 description: Name of the resource being referred to.
680 type: string
681 key:
682 description: 'The ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key from acme server for challenge>`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key from acme server for challenge>` text that must be set as the TXT record content.'
683 type: string
684 solver:
685 description: Contains the domain solving configuration that should be used to solve this challenge resource.
686 type: object
687 properties:
688 dns01:
689 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
690 type: object
691 properties:
692 acmeDNS:
693 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
694 type: object
695 required:
696 - accountSecretRef
697 - host
698 properties:
699 accountSecretRef:
700 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
701 type: object
702 required:
703 - name
704 properties:
705 key:
706 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
707 type: string
708 name:
709 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
710 type: string
711 host:
712 type: string
713 akamai:
714 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
715 type: object
716 required:
717 - accessTokenSecretRef
718 - clientSecretSecretRef
719 - clientTokenSecretRef
720 - serviceConsumerDomain
721 properties:
722 accessTokenSecretRef:
723 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
724 type: object
725 required:
726 - name
727 properties:
728 key:
729 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
730 type: string
731 name:
732 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
733 type: string
734 clientSecretSecretRef:
735 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
736 type: object
737 required:
738 - name
739 properties:
740 key:
741 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
742 type: string
743 name:
744 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
745 type: string
746 clientTokenSecretRef:
747 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
748 type: object
749 required:
750 - name
751 properties:
752 key:
753 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
754 type: string
755 name:
756 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
757 type: string
758 serviceConsumerDomain:
759 type: string
760 azureDNS:
761 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
762 type: object
763 required:
764 - resourceGroupName
765 - subscriptionID
766 properties:
767 clientID:
768 description: if both this and ClientSecret are left unset MSI will be used
769 type: string
770 clientSecretSecretRef:
771 description: if both this and ClientID are left unset MSI will be used
772 type: object
773 required:
774 - name
775 properties:
776 key:
777 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
778 type: string
779 name:
780 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
781 type: string
782 environment:
783 description: name of the Azure environment (default AzurePublicCloud)
784 type: string
785 enum:
786 - AzurePublicCloud
787 - AzureChinaCloud
788 - AzureGermanCloud
789 - AzureUSGovernmentCloud
790 hostedZoneName:
791 description: name of the DNS zone that should be used
792 type: string
793 managedIdentity:
794 description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID
795 type: object
796 properties:
797 clientID:
798 description: client ID of the managed identity, can not be used at the same time as resourceID
799 type: string
800 resourceID:
801 description: resource ID of the managed identity, can not be used at the same time as clientID
802 type: string
803 resourceGroupName:
804 description: resource group the DNS zone is located in
805 type: string
806 subscriptionID:
807 description: ID of the Azure subscription
808 type: string
809 tenantID:
810 description: when specifying ClientID and ClientSecret then this field is also needed
811 type: string
812 cloudDNS:
813 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
814 type: object
815 required:
816 - project
817 properties:
818 hostedZoneName:
819 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
820 type: string
821 project:
822 type: string
823 serviceAccountSecretRef:
824 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
825 type: object
826 required:
827 - name
828 properties:
829 key:
830 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
831 type: string
832 name:
833 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
834 type: string
835 cloudflare:
836 description: Use the Cloudflare API to manage DNS01 challenge records.
837 type: object
838 properties:
839 apiKeySecretRef:
840 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
841 type: object
842 required:
843 - name
844 properties:
845 key:
846 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
847 type: string
848 name:
849 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
850 type: string
851 apiTokenSecretRef:
852 description: API token used to authenticate with Cloudflare.
853 type: object
854 required:
855 - name
856 properties:
857 key:
858 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
859 type: string
860 name:
861 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
862 type: string
863 email:
864 description: Email of the account, only required when using API key based authentication.
865 type: string
866 cnameStrategy:
867 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
868 type: string
869 enum:
870 - None
871 - Follow
872 digitalocean:
873 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
874 type: object
875 required:
876 - tokenSecretRef
877 properties:
878 tokenSecretRef:
879 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
880 type: object
881 required:
882 - name
883 properties:
884 key:
885 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
886 type: string
887 name:
888 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
889 type: string
890 rfc2136:
891 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
892 type: object
893 required:
894 - nameserver
895 properties:
896 nameserver:
897 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
898 type: string
899 tsigAlgorithm:
900 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
901 type: string
902 tsigKeyName:
903 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
904 type: string
905 tsigSecretSecretRef:
906 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
907 type: object
908 required:
909 - name
910 properties:
911 key:
912 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
913 type: string
914 name:
915 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
916 type: string
917 route53:
918 description: Use the AWS Route53 API to manage DNS01 challenge records.
919 type: object
920 required:
921 - region
922 properties:
923 accessKeyID:
924 description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
925 type: string
926 accessKeyIDSecretRef:
927 description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
928 type: object
929 required:
930 - name
931 properties:
932 key:
933 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
934 type: string
935 name:
936 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
937 type: string
938 hostedZoneID:
939 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
940 type: string
941 region:
942 description: Always set the region when using AccessKeyID and SecretAccessKey
943 type: string
944 role:
945 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
946 type: string
947 secretAccessKeySecretRef:
948 description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
949 type: object
950 required:
951 - name
952 properties:
953 key:
954 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
955 type: string
956 name:
957 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
958 type: string
959 webhook:
960 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
961 type: object
962 required:
963 - groupName
964 - solverName
965 properties:
966 config:
967 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
968 x-kubernetes-preserve-unknown-fields: true
969 groupName:
970 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
971 type: string
972 solverName:
973 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
974 type: string
975 http01:
976 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
977 type: object
978 properties:
979 gatewayHTTPRoute:
980 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
981 type: object
982 properties:
983 labels:
984 description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges.
985 type: object
986 additionalProperties:
987 type: string
988 parentRefs:
989 description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways'
990 type: array
991 items:
992 description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid."
993 type: object
994 required:
995 - name
996 properties:
997 group:
998 description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core"
999 type: string
1000 default: gateway.networking.k8s.io
1001 maxLength: 253
1002 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
1003 kind:
1004 description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)"
1005 type: string
1006 default: Gateway
1007 maxLength: 63
1008 minLength: 1
1009 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
1010 name:
1011 description: "Name is the name of the referent. \n Support: Core"
1012 type: string
1013 maxLength: 253
1014 minLength: 1
1015 namespace:
1016 description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core"
1017 type: string
1018 maxLength: 63
1019 minLength: 1
1020 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
1021 port:
1022 description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n <gateway:experimental>"
1023 type: integer
1024 format: int32
1025 maximum: 65535
1026 minimum: 1
1027 sectionName:
1028 description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core"
1029 type: string
1030 maxLength: 253
1031 minLength: 1
1032 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
1033 serviceType:
1034 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
1035 type: string
1036 ingress:
1037 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
1038 type: object
1039 properties:
1040 class:
1041 description: This field configures the annotation `kubernetes.io/ingress.class` when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of `class`, `name` or `ingressClassName` may be specified.
1042 type: string
1043 ingressClassName:
1044 description: This field configures the field `ingressClassName` on the created Ingress resources used to solve ACME challenges that use this challenge solver. This is the recommended way of configuring the ingress class. Only one of `class`, `name` or `ingressClassName` may be specified.
1045 type: string
1046 ingressTemplate:
1047 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
1048 type: object
1049 properties:
1050 metadata:
1051 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
1052 type: object
1053 properties:
1054 annotations:
1055 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
1056 type: object
1057 additionalProperties:
1058 type: string
1059 labels:
1060 description: Labels that should be added to the created ACME HTTP01 solver ingress.
1061 type: object
1062 additionalProperties:
1063 type: string
1064 name:
1065 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. Only one of `class`, `name` or `ingressClassName` may be specified.
1066 type: string
1067 podTemplate:
1068 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
1069 type: object
1070 properties:
1071 metadata:
1072 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
1073 type: object
1074 properties:
1075 annotations:
1076 description: Annotations that should be added to the create ACME HTTP01 solver pods.
1077 type: object
1078 additionalProperties:
1079 type: string
1080 labels:
1081 description: Labels that should be added to the created ACME HTTP01 solver pods.
1082 type: object
1083 additionalProperties:
1084 type: string
1085 spec:
1086 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. All other fields will be ignored.
1087 type: object
1088 properties:
1089 affinity:
1090 description: If specified, the pod's scheduling constraints
1091 type: object
1092 properties:
1093 nodeAffinity:
1094 description: Describes node affinity scheduling rules for the pod.
1095 type: object
1096 properties:
1097 preferredDuringSchedulingIgnoredDuringExecution:
1098 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
1099 type: array
1100 items:
1101 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
1102 type: object
1103 required:
1104 - preference
1105 - weight
1106 properties:
1107 preference:
1108 description: A node selector term, associated with the corresponding weight.
1109 type: object
1110 properties:
1111 matchExpressions:
1112 description: A list of node selector requirements by node's labels.
1113 type: array
1114 items:
1115 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1116 type: object
1117 required:
1118 - key
1119 - operator
1120 properties:
1121 key:
1122 description: The label key that the selector applies to.
1123 type: string
1124 operator:
1125 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
1126 type: string
1127 values:
1128 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
1129 type: array
1130 items:
1131 type: string
1132 matchFields:
1133 description: A list of node selector requirements by node's fields.
1134 type: array
1135 items:
1136 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1137 type: object
1138 required:
1139 - key
1140 - operator
1141 properties:
1142 key:
1143 description: The label key that the selector applies to.
1144 type: string
1145 operator:
1146 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
1147 type: string
1148 values:
1149 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
1150 type: array
1151 items:
1152 type: string
1153 x-kubernetes-map-type: atomic
1154 weight:
1155 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
1156 type: integer
1157 format: int32
1158 requiredDuringSchedulingIgnoredDuringExecution:
1159 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
1160 type: object
1161 required:
1162 - nodeSelectorTerms
1163 properties:
1164 nodeSelectorTerms:
1165 description: Required. A list of node selector terms. The terms are ORed.
1166 type: array
1167 items:
1168 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
1169 type: object
1170 properties:
1171 matchExpressions:
1172 description: A list of node selector requirements by node's labels.
1173 type: array
1174 items:
1175 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1176 type: object
1177 required:
1178 - key
1179 - operator
1180 properties:
1181 key:
1182 description: The label key that the selector applies to.
1183 type: string
1184 operator:
1185 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
1186 type: string
1187 values:
1188 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
1189 type: array
1190 items:
1191 type: string
1192 matchFields:
1193 description: A list of node selector requirements by node's fields.
1194 type: array
1195 items:
1196 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1197 type: object
1198 required:
1199 - key
1200 - operator
1201 properties:
1202 key:
1203 description: The label key that the selector applies to.
1204 type: string
1205 operator:
1206 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
1207 type: string
1208 values:
1209 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
1210 type: array
1211 items:
1212 type: string
1213 x-kubernetes-map-type: atomic
1214 x-kubernetes-map-type: atomic
1215 podAffinity:
1216 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
1217 type: object
1218 properties:
1219 preferredDuringSchedulingIgnoredDuringExecution:
1220 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
1221 type: array
1222 items:
1223 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
1224 type: object
1225 required:
1226 - podAffinityTerm
1227 - weight
1228 properties:
1229 podAffinityTerm:
1230 description: Required. A pod affinity term, associated with the corresponding weight.
1231 type: object
1232 required:
1233 - topologyKey
1234 properties:
1235 labelSelector:
1236 description: A label query over a set of resources, in this case pods.
1237 type: object
1238 properties:
1239 matchExpressions:
1240 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
1241 type: array
1242 items:
1243 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1244 type: object
1245 required:
1246 - key
1247 - operator
1248 properties:
1249 key:
1250 description: key is the label key that the selector applies to.
1251 type: string
1252 operator:
1253 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
1254 type: string
1255 values:
1256 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
1257 type: array
1258 items:
1259 type: string
1260 matchLabels:
1261 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
1262 type: object
1263 additionalProperties:
1264 type: string
1265 x-kubernetes-map-type: atomic
1266 namespaceSelector:
1267 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
1268 type: object
1269 properties:
1270 matchExpressions:
1271 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
1272 type: array
1273 items:
1274 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1275 type: object
1276 required:
1277 - key
1278 - operator
1279 properties:
1280 key:
1281 description: key is the label key that the selector applies to.
1282 type: string
1283 operator:
1284 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
1285 type: string
1286 values:
1287 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
1288 type: array
1289 items:
1290 type: string
1291 matchLabels:
1292 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
1293 type: object
1294 additionalProperties:
1295 type: string
1296 x-kubernetes-map-type: atomic
1297 namespaces:
1298 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
1299 type: array
1300 items:
1301 type: string
1302 topologyKey:
1303 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
1304 type: string
1305 weight:
1306 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
1307 type: integer
1308 format: int32
1309 requiredDuringSchedulingIgnoredDuringExecution:
1310 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
1311 type: array
1312 items:
1313 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
1314 type: object
1315 required:
1316 - topologyKey
1317 properties:
1318 labelSelector:
1319 description: A label query over a set of resources, in this case pods.
1320 type: object
1321 properties:
1322 matchExpressions:
1323 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
1324 type: array
1325 items:
1326 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1327 type: object
1328 required:
1329 - key
1330 - operator
1331 properties:
1332 key:
1333 description: key is the label key that the selector applies to.
1334 type: string
1335 operator:
1336 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
1337 type: string
1338 values:
1339 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
1340 type: array
1341 items:
1342 type: string
1343 matchLabels:
1344 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
1345 type: object
1346 additionalProperties:
1347 type: string
1348 x-kubernetes-map-type: atomic
1349 namespaceSelector:
1350 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
1351 type: object
1352 properties:
1353 matchExpressions:
1354 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
1355 type: array
1356 items:
1357 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1358 type: object
1359 required:
1360 - key
1361 - operator
1362 properties:
1363 key:
1364 description: key is the label key that the selector applies to.
1365 type: string
1366 operator:
1367 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
1368 type: string
1369 values:
1370 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
1371 type: array
1372 items:
1373 type: string
1374 matchLabels:
1375 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
1376 type: object
1377 additionalProperties:
1378 type: string
1379 x-kubernetes-map-type: atomic
1380 namespaces:
1381 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
1382 type: array
1383 items:
1384 type: string
1385 topologyKey:
1386 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
1387 type: string
1388 podAntiAffinity:
1389 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
1390 type: object
1391 properties:
1392 preferredDuringSchedulingIgnoredDuringExecution:
1393 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
1394 type: array
1395 items:
1396 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
1397 type: object
1398 required:
1399 - podAffinityTerm
1400 - weight
1401 properties:
1402 podAffinityTerm:
1403 description: Required. A pod affinity term, associated with the corresponding weight.
1404 type: object
1405 required:
1406 - topologyKey
1407 properties:
1408 labelSelector:
1409 description: A label query over a set of resources, in this case pods.
1410 type: object
1411 properties:
1412 matchExpressions:
1413 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
1414 type: array
1415 items:
1416 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1417 type: object
1418 required:
1419 - key
1420 - operator
1421 properties:
1422 key:
1423 description: key is the label key that the selector applies to.
1424 type: string
1425 operator:
1426 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
1427 type: string
1428 values:
1429 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
1430 type: array
1431 items:
1432 type: string
1433 matchLabels:
1434 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
1435 type: object
1436 additionalProperties:
1437 type: string
1438 x-kubernetes-map-type: atomic
1439 namespaceSelector:
1440 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
1441 type: object
1442 properties:
1443 matchExpressions:
1444 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
1445 type: array
1446 items:
1447 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1448 type: object
1449 required:
1450 - key
1451 - operator
1452 properties:
1453 key:
1454 description: key is the label key that the selector applies to.
1455 type: string
1456 operator:
1457 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
1458 type: string
1459 values:
1460 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
1461 type: array
1462 items:
1463 type: string
1464 matchLabels:
1465 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
1466 type: object
1467 additionalProperties:
1468 type: string
1469 x-kubernetes-map-type: atomic
1470 namespaces:
1471 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
1472 type: array
1473 items:
1474 type: string
1475 topologyKey:
1476 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
1477 type: string
1478 weight:
1479 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
1480 type: integer
1481 format: int32
1482 requiredDuringSchedulingIgnoredDuringExecution:
1483 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
1484 type: array
1485 items:
1486 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
1487 type: object
1488 required:
1489 - topologyKey
1490 properties:
1491 labelSelector:
1492 description: A label query over a set of resources, in this case pods.
1493 type: object
1494 properties:
1495 matchExpressions:
1496 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
1497 type: array
1498 items:
1499 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1500 type: object
1501 required:
1502 - key
1503 - operator
1504 properties:
1505 key:
1506 description: key is the label key that the selector applies to.
1507 type: string
1508 operator:
1509 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
1510 type: string
1511 values:
1512 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
1513 type: array
1514 items:
1515 type: string
1516 matchLabels:
1517 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
1518 type: object
1519 additionalProperties:
1520 type: string
1521 x-kubernetes-map-type: atomic
1522 namespaceSelector:
1523 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
1524 type: object
1525 properties:
1526 matchExpressions:
1527 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
1528 type: array
1529 items:
1530 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
1531 type: object
1532 required:
1533 - key
1534 - operator
1535 properties:
1536 key:
1537 description: key is the label key that the selector applies to.
1538 type: string
1539 operator:
1540 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
1541 type: string
1542 values:
1543 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
1544 type: array
1545 items:
1546 type: string
1547 matchLabels:
1548 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
1549 type: object
1550 additionalProperties:
1551 type: string
1552 x-kubernetes-map-type: atomic
1553 namespaces:
1554 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
1555 type: array
1556 items:
1557 type: string
1558 topologyKey:
1559 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
1560 type: string
1561 imagePullSecrets:
1562 description: If specified, the pod's imagePullSecrets
1563 type: array
1564 items:
1565 description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.
1566 type: object
1567 properties:
1568 name:
1569 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
1570 type: string
1571 x-kubernetes-map-type: atomic
1572 nodeSelector:
1573 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
1574 type: object
1575 additionalProperties:
1576 type: string
1577 priorityClassName:
1578 description: If specified, the pod's priorityClassName.
1579 type: string
1580 serviceAccountName:
1581 description: If specified, the pod's service account
1582 type: string
1583 tolerations:
1584 description: If specified, the pod's tolerations.
1585 type: array
1586 items:
1587 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
1588 type: object
1589 properties:
1590 effect:
1591 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
1592 type: string
1593 key:
1594 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
1595 type: string
1596 operator:
1597 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
1598 type: string
1599 tolerationSeconds:
1600 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
1601 type: integer
1602 format: int64
1603 value:
1604 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
1605 type: string
1606 serviceType:
1607 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
1608 type: string
1609 selector:
1610 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
1611 type: object
1612 properties:
1613 dnsNames:
1614 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
1615 type: array
1616 items:
1617 type: string
1618 dnsZones:
1619 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
1620 type: array
1621 items:
1622 type: string
1623 matchLabels:
1624 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
1625 type: object
1626 additionalProperties:
1627 type: string
1628 token:
1629 description: The ACME challenge token for this challenge. This is the raw value returned from the ACME server.
1630 type: string
1631 type:
1632 description: The type of ACME challenge this resource represents. One of "HTTP-01" or "DNS-01".
1633 type: string
1634 enum:
1635 - HTTP-01
1636 - DNS-01
1637 url:
1638 description: The URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge.
1639 type: string
1640 wildcard:
1641 description: wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'.
1642 type: boolean
1643 status:
1644 type: object
1645 properties:
1646 presented:
1647 description: presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured).
1648 type: boolean
1649 processing:
1650 description: Used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action.
1651 type: boolean
1652 reason:
1653 description: Contains human readable information on why the Challenge is in the current state.
1654 type: string
1655 state:
1656 description: Contains the current 'state' of the challenge. If not set, the state of the challenge is unknown.
1657 type: string
1658 enum:
1659 - valid
1660 - ready
1661 - pending
1662 - processing
1663 - invalid
1664 - expired
1665 - errored
1666 served: true
1667 storage: true
1668 subresources:
1669 status: {}
1670---
1671# Source: cert-manager/templates/crds.yaml
1672apiVersion: apiextensions.k8s.io/v1
1673kind: CustomResourceDefinition
1674metadata:
1675 name: clusterissuers.cert-manager.io
1676 labels:
1677 app: 'cert-manager'
1678 app.kubernetes.io/name: 'cert-manager'
1679 app.kubernetes.io/instance: "cert-manager"
1680 # Generated labels
1681 app.kubernetes.io/version: "v1.12.0"
1682spec:
1683 group: cert-manager.io
1684 names:
1685 kind: ClusterIssuer
1686 listKind: ClusterIssuerList
1687 plural: clusterissuers
1688 singular: clusterissuer
1689 categories:
1690 - cert-manager
1691 scope: Cluster
1692 versions:
1693 - name: v1
1694 subresources:
1695 status: {}
1696 additionalPrinterColumns:
1697 - jsonPath: .status.conditions[?(@.type=="Ready")].status
1698 name: Ready
1699 type: string
1700 - jsonPath: .status.conditions[?(@.type=="Ready")].message
1701 name: Status
1702 priority: 1
1703 type: string
1704 - jsonPath: .metadata.creationTimestamp
1705 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
1706 name: Age
1707 type: date
1708 schema:
1709 openAPIV3Schema:
1710 description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent.
1711 type: object
1712 required:
1713 - spec
1714 properties:
1715 apiVersion:
1716 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1717 type: string
1718 kind:
1719 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1720 type: string
1721 metadata:
1722 type: object
1723 spec:
1724 description: Desired state of the ClusterIssuer resource.
1725 type: object
1726 properties:
1727 acme:
1728 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
1729 type: object
1730 required:
1731 - privateKeySecretRef
1732 - server
1733 properties:
1734 caBundle:
1735 description: Base64-encoded bundle of PEM CAs which can be used to validate the certificate chain presented by the ACME server. Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various kinds of security vulnerabilities. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection.
1736 type: string
1737 format: byte
1738 disableAccountKeyGeneration:
1739 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
1740 type: boolean
1741 email:
1742 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
1743 type: string
1744 enableDurationFeature:
1745 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
1746 type: boolean
1747 externalAccountBinding:
1748 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
1749 type: object
1750 required:
1751 - keyID
1752 - keySecretRef
1753 properties:
1754 keyAlgorithm:
1755 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
1756 type: string
1757 enum:
1758 - HS256
1759 - HS384
1760 - HS512
1761 keyID:
1762 description: keyID is the ID of the CA key that the External Account is bound to.
1763 type: string
1764 keySecretRef:
1765 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
1766 type: object
1767 required:
1768 - name
1769 properties:
1770 key:
1771 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1772 type: string
1773 name:
1774 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1775 type: string
1776 preferredChain:
1777 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
1778 type: string
1779 maxLength: 64
1780 privateKeySecretRef:
1781 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
1782 type: object
1783 required:
1784 - name
1785 properties:
1786 key:
1787 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1788 type: string
1789 name:
1790 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1791 type: string
1792 server:
1793 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
1794 type: string
1795 skipTLSVerify:
1796 description: 'INSECURE: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have the TLS certificate chain validated. Mutually exclusive with CABundle; prefer using CABundle to prevent various kinds of security vulnerabilities. Only enable this option in development environments. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. Defaults to false.'
1797 type: boolean
1798 solvers:
1799 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
1800 type: array
1801 items:
1802 description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided.
1803 type: object
1804 properties:
1805 dns01:
1806 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
1807 type: object
1808 properties:
1809 acmeDNS:
1810 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
1811 type: object
1812 required:
1813 - accountSecretRef
1814 - host
1815 properties:
1816 accountSecretRef:
1817 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
1818 type: object
1819 required:
1820 - name
1821 properties:
1822 key:
1823 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1824 type: string
1825 name:
1826 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1827 type: string
1828 host:
1829 type: string
1830 akamai:
1831 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
1832 type: object
1833 required:
1834 - accessTokenSecretRef
1835 - clientSecretSecretRef
1836 - clientTokenSecretRef
1837 - serviceConsumerDomain
1838 properties:
1839 accessTokenSecretRef:
1840 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
1841 type: object
1842 required:
1843 - name
1844 properties:
1845 key:
1846 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1847 type: string
1848 name:
1849 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1850 type: string
1851 clientSecretSecretRef:
1852 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
1853 type: object
1854 required:
1855 - name
1856 properties:
1857 key:
1858 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1859 type: string
1860 name:
1861 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1862 type: string
1863 clientTokenSecretRef:
1864 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
1865 type: object
1866 required:
1867 - name
1868 properties:
1869 key:
1870 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1871 type: string
1872 name:
1873 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1874 type: string
1875 serviceConsumerDomain:
1876 type: string
1877 azureDNS:
1878 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
1879 type: object
1880 required:
1881 - resourceGroupName
1882 - subscriptionID
1883 properties:
1884 clientID:
1885 description: if both this and ClientSecret are left unset MSI will be used
1886 type: string
1887 clientSecretSecretRef:
1888 description: if both this and ClientID are left unset MSI will be used
1889 type: object
1890 required:
1891 - name
1892 properties:
1893 key:
1894 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1895 type: string
1896 name:
1897 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1898 type: string
1899 environment:
1900 description: name of the Azure environment (default AzurePublicCloud)
1901 type: string
1902 enum:
1903 - AzurePublicCloud
1904 - AzureChinaCloud
1905 - AzureGermanCloud
1906 - AzureUSGovernmentCloud
1907 hostedZoneName:
1908 description: name of the DNS zone that should be used
1909 type: string
1910 managedIdentity:
1911 description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID
1912 type: object
1913 properties:
1914 clientID:
1915 description: client ID of the managed identity, can not be used at the same time as resourceID
1916 type: string
1917 resourceID:
1918 description: resource ID of the managed identity, can not be used at the same time as clientID
1919 type: string
1920 resourceGroupName:
1921 description: resource group the DNS zone is located in
1922 type: string
1923 subscriptionID:
1924 description: ID of the Azure subscription
1925 type: string
1926 tenantID:
1927 description: when specifying ClientID and ClientSecret then this field is also needed
1928 type: string
1929 cloudDNS:
1930 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
1931 type: object
1932 required:
1933 - project
1934 properties:
1935 hostedZoneName:
1936 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
1937 type: string
1938 project:
1939 type: string
1940 serviceAccountSecretRef:
1941 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
1942 type: object
1943 required:
1944 - name
1945 properties:
1946 key:
1947 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1948 type: string
1949 name:
1950 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1951 type: string
1952 cloudflare:
1953 description: Use the Cloudflare API to manage DNS01 challenge records.
1954 type: object
1955 properties:
1956 apiKeySecretRef:
1957 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
1958 type: object
1959 required:
1960 - name
1961 properties:
1962 key:
1963 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1964 type: string
1965 name:
1966 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1967 type: string
1968 apiTokenSecretRef:
1969 description: API token used to authenticate with Cloudflare.
1970 type: object
1971 required:
1972 - name
1973 properties:
1974 key:
1975 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1976 type: string
1977 name:
1978 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1979 type: string
1980 email:
1981 description: Email of the account, only required when using API key based authentication.
1982 type: string
1983 cnameStrategy:
1984 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
1985 type: string
1986 enum:
1987 - None
1988 - Follow
1989 digitalocean:
1990 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
1991 type: object
1992 required:
1993 - tokenSecretRef
1994 properties:
1995 tokenSecretRef:
1996 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
1997 type: object
1998 required:
1999 - name
2000 properties:
2001 key:
2002 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2003 type: string
2004 name:
2005 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2006 type: string
2007 rfc2136:
2008 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
2009 type: object
2010 required:
2011 - nameserver
2012 properties:
2013 nameserver:
2014 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
2015 type: string
2016 tsigAlgorithm:
2017 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
2018 type: string
2019 tsigKeyName:
2020 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
2021 type: string
2022 tsigSecretSecretRef:
2023 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
2024 type: object
2025 required:
2026 - name
2027 properties:
2028 key:
2029 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2030 type: string
2031 name:
2032 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2033 type: string
2034 route53:
2035 description: Use the AWS Route53 API to manage DNS01 challenge records.
2036 type: object
2037 required:
2038 - region
2039 properties:
2040 accessKeyID:
2041 description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
2042 type: string
2043 accessKeyIDSecretRef:
2044 description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
2045 type: object
2046 required:
2047 - name
2048 properties:
2049 key:
2050 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2051 type: string
2052 name:
2053 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2054 type: string
2055 hostedZoneID:
2056 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
2057 type: string
2058 region:
2059 description: Always set the region when using AccessKeyID and SecretAccessKey
2060 type: string
2061 role:
2062 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
2063 type: string
2064 secretAccessKeySecretRef:
2065 description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
2066 type: object
2067 required:
2068 - name
2069 properties:
2070 key:
2071 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2072 type: string
2073 name:
2074 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2075 type: string
2076 webhook:
2077 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
2078 type: object
2079 required:
2080 - groupName
2081 - solverName
2082 properties:
2083 config:
2084 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
2085 x-kubernetes-preserve-unknown-fields: true
2086 groupName:
2087 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
2088 type: string
2089 solverName:
2090 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
2091 type: string
2092 http01:
2093 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
2094 type: object
2095 properties:
2096 gatewayHTTPRoute:
2097 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
2098 type: object
2099 properties:
2100 labels:
2101 description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges.
2102 type: object
2103 additionalProperties:
2104 type: string
2105 parentRefs:
2106 description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways'
2107 type: array
2108 items:
2109 description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid."
2110 type: object
2111 required:
2112 - name
2113 properties:
2114 group:
2115 description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core"
2116 type: string
2117 default: gateway.networking.k8s.io
2118 maxLength: 253
2119 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
2120 kind:
2121 description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)"
2122 type: string
2123 default: Gateway
2124 maxLength: 63
2125 minLength: 1
2126 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
2127 name:
2128 description: "Name is the name of the referent. \n Support: Core"
2129 type: string
2130 maxLength: 253
2131 minLength: 1
2132 namespace:
2133 description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core"
2134 type: string
2135 maxLength: 63
2136 minLength: 1
2137 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
2138 port:
2139 description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n <gateway:experimental>"
2140 type: integer
2141 format: int32
2142 maximum: 65535
2143 minimum: 1
2144 sectionName:
2145 description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core"
2146 type: string
2147 maxLength: 253
2148 minLength: 1
2149 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
2150 serviceType:
2151 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
2152 type: string
2153 ingress:
2154 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
2155 type: object
2156 properties:
2157 class:
2158 description: This field configures the annotation `kubernetes.io/ingress.class` when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of `class`, `name` or `ingressClassName` may be specified.
2159 type: string
2160 ingressClassName:
2161 description: This field configures the field `ingressClassName` on the created Ingress resources used to solve ACME challenges that use this challenge solver. This is the recommended way of configuring the ingress class. Only one of `class`, `name` or `ingressClassName` may be specified.
2162 type: string
2163 ingressTemplate:
2164 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
2165 type: object
2166 properties:
2167 metadata:
2168 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
2169 type: object
2170 properties:
2171 annotations:
2172 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
2173 type: object
2174 additionalProperties:
2175 type: string
2176 labels:
2177 description: Labels that should be added to the created ACME HTTP01 solver ingress.
2178 type: object
2179 additionalProperties:
2180 type: string
2181 name:
2182 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. Only one of `class`, `name` or `ingressClassName` may be specified.
2183 type: string
2184 podTemplate:
2185 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
2186 type: object
2187 properties:
2188 metadata:
2189 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
2190 type: object
2191 properties:
2192 annotations:
2193 description: Annotations that should be added to the create ACME HTTP01 solver pods.
2194 type: object
2195 additionalProperties:
2196 type: string
2197 labels:
2198 description: Labels that should be added to the created ACME HTTP01 solver pods.
2199 type: object
2200 additionalProperties:
2201 type: string
2202 spec:
2203 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. All other fields will be ignored.
2204 type: object
2205 properties:
2206 affinity:
2207 description: If specified, the pod's scheduling constraints
2208 type: object
2209 properties:
2210 nodeAffinity:
2211 description: Describes node affinity scheduling rules for the pod.
2212 type: object
2213 properties:
2214 preferredDuringSchedulingIgnoredDuringExecution:
2215 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
2216 type: array
2217 items:
2218 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
2219 type: object
2220 required:
2221 - preference
2222 - weight
2223 properties:
2224 preference:
2225 description: A node selector term, associated with the corresponding weight.
2226 type: object
2227 properties:
2228 matchExpressions:
2229 description: A list of node selector requirements by node's labels.
2230 type: array
2231 items:
2232 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2233 type: object
2234 required:
2235 - key
2236 - operator
2237 properties:
2238 key:
2239 description: The label key that the selector applies to.
2240 type: string
2241 operator:
2242 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2243 type: string
2244 values:
2245 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
2246 type: array
2247 items:
2248 type: string
2249 matchFields:
2250 description: A list of node selector requirements by node's fields.
2251 type: array
2252 items:
2253 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2254 type: object
2255 required:
2256 - key
2257 - operator
2258 properties:
2259 key:
2260 description: The label key that the selector applies to.
2261 type: string
2262 operator:
2263 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2264 type: string
2265 values:
2266 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
2267 type: array
2268 items:
2269 type: string
2270 x-kubernetes-map-type: atomic
2271 weight:
2272 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
2273 type: integer
2274 format: int32
2275 requiredDuringSchedulingIgnoredDuringExecution:
2276 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
2277 type: object
2278 required:
2279 - nodeSelectorTerms
2280 properties:
2281 nodeSelectorTerms:
2282 description: Required. A list of node selector terms. The terms are ORed.
2283 type: array
2284 items:
2285 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
2286 type: object
2287 properties:
2288 matchExpressions:
2289 description: A list of node selector requirements by node's labels.
2290 type: array
2291 items:
2292 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2293 type: object
2294 required:
2295 - key
2296 - operator
2297 properties:
2298 key:
2299 description: The label key that the selector applies to.
2300 type: string
2301 operator:
2302 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2303 type: string
2304 values:
2305 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
2306 type: array
2307 items:
2308 type: string
2309 matchFields:
2310 description: A list of node selector requirements by node's fields.
2311 type: array
2312 items:
2313 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2314 type: object
2315 required:
2316 - key
2317 - operator
2318 properties:
2319 key:
2320 description: The label key that the selector applies to.
2321 type: string
2322 operator:
2323 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2324 type: string
2325 values:
2326 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
2327 type: array
2328 items:
2329 type: string
2330 x-kubernetes-map-type: atomic
2331 x-kubernetes-map-type: atomic
2332 podAffinity:
2333 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
2334 type: object
2335 properties:
2336 preferredDuringSchedulingIgnoredDuringExecution:
2337 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
2338 type: array
2339 items:
2340 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
2341 type: object
2342 required:
2343 - podAffinityTerm
2344 - weight
2345 properties:
2346 podAffinityTerm:
2347 description: Required. A pod affinity term, associated with the corresponding weight.
2348 type: object
2349 required:
2350 - topologyKey
2351 properties:
2352 labelSelector:
2353 description: A label query over a set of resources, in this case pods.
2354 type: object
2355 properties:
2356 matchExpressions:
2357 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2358 type: array
2359 items:
2360 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2361 type: object
2362 required:
2363 - key
2364 - operator
2365 properties:
2366 key:
2367 description: key is the label key that the selector applies to.
2368 type: string
2369 operator:
2370 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2371 type: string
2372 values:
2373 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2374 type: array
2375 items:
2376 type: string
2377 matchLabels:
2378 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2379 type: object
2380 additionalProperties:
2381 type: string
2382 x-kubernetes-map-type: atomic
2383 namespaceSelector:
2384 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
2385 type: object
2386 properties:
2387 matchExpressions:
2388 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2389 type: array
2390 items:
2391 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2392 type: object
2393 required:
2394 - key
2395 - operator
2396 properties:
2397 key:
2398 description: key is the label key that the selector applies to.
2399 type: string
2400 operator:
2401 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2402 type: string
2403 values:
2404 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2405 type: array
2406 items:
2407 type: string
2408 matchLabels:
2409 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2410 type: object
2411 additionalProperties:
2412 type: string
2413 x-kubernetes-map-type: atomic
2414 namespaces:
2415 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
2416 type: array
2417 items:
2418 type: string
2419 topologyKey:
2420 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
2421 type: string
2422 weight:
2423 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
2424 type: integer
2425 format: int32
2426 requiredDuringSchedulingIgnoredDuringExecution:
2427 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
2428 type: array
2429 items:
2430 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
2431 type: object
2432 required:
2433 - topologyKey
2434 properties:
2435 labelSelector:
2436 description: A label query over a set of resources, in this case pods.
2437 type: object
2438 properties:
2439 matchExpressions:
2440 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2441 type: array
2442 items:
2443 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2444 type: object
2445 required:
2446 - key
2447 - operator
2448 properties:
2449 key:
2450 description: key is the label key that the selector applies to.
2451 type: string
2452 operator:
2453 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2454 type: string
2455 values:
2456 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2457 type: array
2458 items:
2459 type: string
2460 matchLabels:
2461 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2462 type: object
2463 additionalProperties:
2464 type: string
2465 x-kubernetes-map-type: atomic
2466 namespaceSelector:
2467 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
2468 type: object
2469 properties:
2470 matchExpressions:
2471 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2472 type: array
2473 items:
2474 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2475 type: object
2476 required:
2477 - key
2478 - operator
2479 properties:
2480 key:
2481 description: key is the label key that the selector applies to.
2482 type: string
2483 operator:
2484 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2485 type: string
2486 values:
2487 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2488 type: array
2489 items:
2490 type: string
2491 matchLabels:
2492 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2493 type: object
2494 additionalProperties:
2495 type: string
2496 x-kubernetes-map-type: atomic
2497 namespaces:
2498 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
2499 type: array
2500 items:
2501 type: string
2502 topologyKey:
2503 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
2504 type: string
2505 podAntiAffinity:
2506 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
2507 type: object
2508 properties:
2509 preferredDuringSchedulingIgnoredDuringExecution:
2510 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
2511 type: array
2512 items:
2513 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
2514 type: object
2515 required:
2516 - podAffinityTerm
2517 - weight
2518 properties:
2519 podAffinityTerm:
2520 description: Required. A pod affinity term, associated with the corresponding weight.
2521 type: object
2522 required:
2523 - topologyKey
2524 properties:
2525 labelSelector:
2526 description: A label query over a set of resources, in this case pods.
2527 type: object
2528 properties:
2529 matchExpressions:
2530 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2531 type: array
2532 items:
2533 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2534 type: object
2535 required:
2536 - key
2537 - operator
2538 properties:
2539 key:
2540 description: key is the label key that the selector applies to.
2541 type: string
2542 operator:
2543 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2544 type: string
2545 values:
2546 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2547 type: array
2548 items:
2549 type: string
2550 matchLabels:
2551 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2552 type: object
2553 additionalProperties:
2554 type: string
2555 x-kubernetes-map-type: atomic
2556 namespaceSelector:
2557 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
2558 type: object
2559 properties:
2560 matchExpressions:
2561 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2562 type: array
2563 items:
2564 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2565 type: object
2566 required:
2567 - key
2568 - operator
2569 properties:
2570 key:
2571 description: key is the label key that the selector applies to.
2572 type: string
2573 operator:
2574 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2575 type: string
2576 values:
2577 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2578 type: array
2579 items:
2580 type: string
2581 matchLabels:
2582 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2583 type: object
2584 additionalProperties:
2585 type: string
2586 x-kubernetes-map-type: atomic
2587 namespaces:
2588 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
2589 type: array
2590 items:
2591 type: string
2592 topologyKey:
2593 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
2594 type: string
2595 weight:
2596 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
2597 type: integer
2598 format: int32
2599 requiredDuringSchedulingIgnoredDuringExecution:
2600 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
2601 type: array
2602 items:
2603 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
2604 type: object
2605 required:
2606 - topologyKey
2607 properties:
2608 labelSelector:
2609 description: A label query over a set of resources, in this case pods.
2610 type: object
2611 properties:
2612 matchExpressions:
2613 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2614 type: array
2615 items:
2616 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2617 type: object
2618 required:
2619 - key
2620 - operator
2621 properties:
2622 key:
2623 description: key is the label key that the selector applies to.
2624 type: string
2625 operator:
2626 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2627 type: string
2628 values:
2629 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2630 type: array
2631 items:
2632 type: string
2633 matchLabels:
2634 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2635 type: object
2636 additionalProperties:
2637 type: string
2638 x-kubernetes-map-type: atomic
2639 namespaceSelector:
2640 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
2641 type: object
2642 properties:
2643 matchExpressions:
2644 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2645 type: array
2646 items:
2647 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2648 type: object
2649 required:
2650 - key
2651 - operator
2652 properties:
2653 key:
2654 description: key is the label key that the selector applies to.
2655 type: string
2656 operator:
2657 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2658 type: string
2659 values:
2660 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2661 type: array
2662 items:
2663 type: string
2664 matchLabels:
2665 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2666 type: object
2667 additionalProperties:
2668 type: string
2669 x-kubernetes-map-type: atomic
2670 namespaces:
2671 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
2672 type: array
2673 items:
2674 type: string
2675 topologyKey:
2676 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
2677 type: string
2678 imagePullSecrets:
2679 description: If specified, the pod's imagePullSecrets
2680 type: array
2681 items:
2682 description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.
2683 type: object
2684 properties:
2685 name:
2686 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
2687 type: string
2688 x-kubernetes-map-type: atomic
2689 nodeSelector:
2690 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
2691 type: object
2692 additionalProperties:
2693 type: string
2694 priorityClassName:
2695 description: If specified, the pod's priorityClassName.
2696 type: string
2697 serviceAccountName:
2698 description: If specified, the pod's service account
2699 type: string
2700 tolerations:
2701 description: If specified, the pod's tolerations.
2702 type: array
2703 items:
2704 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
2705 type: object
2706 properties:
2707 effect:
2708 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
2709 type: string
2710 key:
2711 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
2712 type: string
2713 operator:
2714 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
2715 type: string
2716 tolerationSeconds:
2717 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
2718 type: integer
2719 format: int64
2720 value:
2721 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
2722 type: string
2723 serviceType:
2724 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
2725 type: string
2726 selector:
2727 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
2728 type: object
2729 properties:
2730 dnsNames:
2731 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
2732 type: array
2733 items:
2734 type: string
2735 dnsZones:
2736 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
2737 type: array
2738 items:
2739 type: string
2740 matchLabels:
2741 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
2742 type: object
2743 additionalProperties:
2744 type: string
2745 ca:
2746 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
2747 type: object
2748 required:
2749 - secretName
2750 properties:
2751 crlDistributionPoints:
2752 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
2753 type: array
2754 items:
2755 type: string
2756 ocspServers:
2757 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
2758 type: array
2759 items:
2760 type: string
2761 secretName:
2762 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
2763 type: string
2764 selfSigned:
2765 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
2766 type: object
2767 properties:
2768 crlDistributionPoints:
2769 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
2770 type: array
2771 items:
2772 type: string
2773 vault:
2774 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
2775 type: object
2776 required:
2777 - auth
2778 - path
2779 - server
2780 properties:
2781 auth:
2782 description: Auth configures how cert-manager authenticates with the Vault server.
2783 type: object
2784 properties:
2785 appRole:
2786 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
2787 type: object
2788 required:
2789 - path
2790 - roleId
2791 - secretRef
2792 properties:
2793 path:
2794 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
2795 type: string
2796 roleId:
2797 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
2798 type: string
2799 secretRef:
2800 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
2801 type: object
2802 required:
2803 - name
2804 properties:
2805 key:
2806 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2807 type: string
2808 name:
2809 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2810 type: string
2811 kubernetes:
2812 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
2813 type: object
2814 required:
2815 - role
2816 properties:
2817 mountPath:
2818 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
2819 type: string
2820 role:
2821 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
2822 type: string
2823 secretRef:
2824 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
2825 type: object
2826 required:
2827 - name
2828 properties:
2829 key:
2830 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2831 type: string
2832 name:
2833 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2834 type: string
2835 serviceAccountRef:
2836 description: A reference to a service account that will be used to request a bound token (also known as "projected token"). Compared to using "secretRef", using this field means that you don't rely on statically bound tokens. To use this field, you must configure an RBAC rule to let cert-manager request a token.
2837 type: object
2838 required:
2839 - name
2840 properties:
2841 name:
2842 description: Name of the ServiceAccount used to request a token.
2843 type: string
2844 tokenSecretRef:
2845 description: TokenSecretRef authenticates with Vault by presenting a token.
2846 type: object
2847 required:
2848 - name
2849 properties:
2850 key:
2851 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2852 type: string
2853 name:
2854 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2855 type: string
2856 caBundle:
2857 description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by Vault. Only used if using HTTPS to connect to Vault and ignored for HTTP connections. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection.
2858 type: string
2859 format: byte
2860 caBundleSecretRef:
2861 description: Reference to a Secret containing a bundle of PEM-encoded CAs to use when verifying the certificate chain presented by Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
2862 type: object
2863 required:
2864 - name
2865 properties:
2866 key:
2867 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2868 type: string
2869 name:
2870 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2871 type: string
2872 namespace:
2873 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
2874 type: string
2875 path:
2876 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
2877 type: string
2878 server:
2879 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
2880 type: string
2881 venafi:
2882 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
2883 type: object
2884 required:
2885 - zone
2886 properties:
2887 cloud:
2888 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
2889 type: object
2890 required:
2891 - apiTokenSecretRef
2892 properties:
2893 apiTokenSecretRef:
2894 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
2895 type: object
2896 required:
2897 - name
2898 properties:
2899 key:
2900 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2901 type: string
2902 name:
2903 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2904 type: string
2905 url:
2906 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
2907 type: string
2908 tpp:
2909 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
2910 type: object
2911 required:
2912 - credentialsRef
2913 - url
2914 properties:
2915 caBundle:
2916 description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. If undefined, the certificate bundle in the cert-manager controller container is used to validate the chain.
2917 type: string
2918 format: byte
2919 credentialsRef:
2920 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
2921 type: object
2922 required:
2923 - name
2924 properties:
2925 name:
2926 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2927 type: string
2928 url:
2929 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
2930 type: string
2931 zone:
2932 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
2933 type: string
2934 status:
2935 description: Status of the ClusterIssuer. This is set and managed automatically.
2936 type: object
2937 properties:
2938 acme:
2939 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
2940 type: object
2941 properties:
2942 lastPrivateKeyHash:
2943 description: LastPrivateKeyHash is a hash of the private key associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
2944 type: string
2945 lastRegisteredEmail:
2946 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
2947 type: string
2948 uri:
2949 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
2950 type: string
2951 conditions:
2952 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
2953 type: array
2954 items:
2955 description: IssuerCondition contains condition information for an Issuer.
2956 type: object
2957 required:
2958 - status
2959 - type
2960 properties:
2961 lastTransitionTime:
2962 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
2963 type: string
2964 format: date-time
2965 message:
2966 description: Message is a human readable description of the details of the last transition, complementing reason.
2967 type: string
2968 observedGeneration:
2969 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
2970 type: integer
2971 format: int64
2972 reason:
2973 description: Reason is a brief machine readable explanation for the condition's last transition.
2974 type: string
2975 status:
2976 description: Status of the condition, one of (`True`, `False`, `Unknown`).
2977 type: string
2978 enum:
2979 - "True"
2980 - "False"
2981 - Unknown
2982 type:
2983 description: Type of the condition, known values are (`Ready`).
2984 type: string
2985 x-kubernetes-list-map-keys:
2986 - type
2987 x-kubernetes-list-type: map
2988 served: true
2989 storage: true
2990---
2991# Source: cert-manager/templates/crds.yaml
2992apiVersion: apiextensions.k8s.io/v1
2993kind: CustomResourceDefinition
2994metadata:
2995 name: issuers.cert-manager.io
2996 labels:
2997 app: 'cert-manager'
2998 app.kubernetes.io/name: 'cert-manager'
2999 app.kubernetes.io/instance: "cert-manager"
3000 # Generated labels
3001 app.kubernetes.io/version: "v1.12.0"
3002spec:
3003 group: cert-manager.io
3004 names:
3005 kind: Issuer
3006 listKind: IssuerList
3007 plural: issuers
3008 singular: issuer
3009 categories:
3010 - cert-manager
3011 scope: Namespaced
3012 versions:
3013 - name: v1
3014 subresources:
3015 status: {}
3016 additionalPrinterColumns:
3017 - jsonPath: .status.conditions[?(@.type=="Ready")].status
3018 name: Ready
3019 type: string
3020 - jsonPath: .status.conditions[?(@.type=="Ready")].message
3021 name: Status
3022 priority: 1
3023 type: string
3024 - jsonPath: .metadata.creationTimestamp
3025 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
3026 name: Age
3027 type: date
3028 schema:
3029 openAPIV3Schema:
3030 description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace.
3031 type: object
3032 required:
3033 - spec
3034 properties:
3035 apiVersion:
3036 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
3037 type: string
3038 kind:
3039 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
3040 type: string
3041 metadata:
3042 type: object
3043 spec:
3044 description: Desired state of the Issuer resource.
3045 type: object
3046 properties:
3047 acme:
3048 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
3049 type: object
3050 required:
3051 - privateKeySecretRef
3052 - server
3053 properties:
3054 caBundle:
3055 description: Base64-encoded bundle of PEM CAs which can be used to validate the certificate chain presented by the ACME server. Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various kinds of security vulnerabilities. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection.
3056 type: string
3057 format: byte
3058 disableAccountKeyGeneration:
3059 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
3060 type: boolean
3061 email:
3062 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
3063 type: string
3064 enableDurationFeature:
3065 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
3066 type: boolean
3067 externalAccountBinding:
3068 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
3069 type: object
3070 required:
3071 - keyID
3072 - keySecretRef
3073 properties:
3074 keyAlgorithm:
3075 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
3076 type: string
3077 enum:
3078 - HS256
3079 - HS384
3080 - HS512
3081 keyID:
3082 description: keyID is the ID of the CA key that the External Account is bound to.
3083 type: string
3084 keySecretRef:
3085 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
3086 type: object
3087 required:
3088 - name
3089 properties:
3090 key:
3091 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3092 type: string
3093 name:
3094 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3095 type: string
3096 preferredChain:
3097 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
3098 type: string
3099 maxLength: 64
3100 privateKeySecretRef:
3101 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
3102 type: object
3103 required:
3104 - name
3105 properties:
3106 key:
3107 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3108 type: string
3109 name:
3110 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3111 type: string
3112 server:
3113 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
3114 type: string
3115 skipTLSVerify:
3116 description: 'INSECURE: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have the TLS certificate chain validated. Mutually exclusive with CABundle; prefer using CABundle to prevent various kinds of security vulnerabilities. Only enable this option in development environments. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. Defaults to false.'
3117 type: boolean
3118 solvers:
3119 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
3120 type: array
3121 items:
3122 description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided.
3123 type: object
3124 properties:
3125 dns01:
3126 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
3127 type: object
3128 properties:
3129 acmeDNS:
3130 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
3131 type: object
3132 required:
3133 - accountSecretRef
3134 - host
3135 properties:
3136 accountSecretRef:
3137 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3138 type: object
3139 required:
3140 - name
3141 properties:
3142 key:
3143 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3144 type: string
3145 name:
3146 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3147 type: string
3148 host:
3149 type: string
3150 akamai:
3151 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
3152 type: object
3153 required:
3154 - accessTokenSecretRef
3155 - clientSecretSecretRef
3156 - clientTokenSecretRef
3157 - serviceConsumerDomain
3158 properties:
3159 accessTokenSecretRef:
3160 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3161 type: object
3162 required:
3163 - name
3164 properties:
3165 key:
3166 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3167 type: string
3168 name:
3169 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3170 type: string
3171 clientSecretSecretRef:
3172 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3173 type: object
3174 required:
3175 - name
3176 properties:
3177 key:
3178 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3179 type: string
3180 name:
3181 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3182 type: string
3183 clientTokenSecretRef:
3184 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3185 type: object
3186 required:
3187 - name
3188 properties:
3189 key:
3190 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3191 type: string
3192 name:
3193 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3194 type: string
3195 serviceConsumerDomain:
3196 type: string
3197 azureDNS:
3198 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
3199 type: object
3200 required:
3201 - resourceGroupName
3202 - subscriptionID
3203 properties:
3204 clientID:
3205 description: if both this and ClientSecret are left unset MSI will be used
3206 type: string
3207 clientSecretSecretRef:
3208 description: if both this and ClientID are left unset MSI will be used
3209 type: object
3210 required:
3211 - name
3212 properties:
3213 key:
3214 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3215 type: string
3216 name:
3217 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3218 type: string
3219 environment:
3220 description: name of the Azure environment (default AzurePublicCloud)
3221 type: string
3222 enum:
3223 - AzurePublicCloud
3224 - AzureChinaCloud
3225 - AzureGermanCloud
3226 - AzureUSGovernmentCloud
3227 hostedZoneName:
3228 description: name of the DNS zone that should be used
3229 type: string
3230 managedIdentity:
3231 description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID
3232 type: object
3233 properties:
3234 clientID:
3235 description: client ID of the managed identity, can not be used at the same time as resourceID
3236 type: string
3237 resourceID:
3238 description: resource ID of the managed identity, can not be used at the same time as clientID
3239 type: string
3240 resourceGroupName:
3241 description: resource group the DNS zone is located in
3242 type: string
3243 subscriptionID:
3244 description: ID of the Azure subscription
3245 type: string
3246 tenantID:
3247 description: when specifying ClientID and ClientSecret then this field is also needed
3248 type: string
3249 cloudDNS:
3250 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
3251 type: object
3252 required:
3253 - project
3254 properties:
3255 hostedZoneName:
3256 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
3257 type: string
3258 project:
3259 type: string
3260 serviceAccountSecretRef:
3261 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3262 type: object
3263 required:
3264 - name
3265 properties:
3266 key:
3267 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3268 type: string
3269 name:
3270 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3271 type: string
3272 cloudflare:
3273 description: Use the Cloudflare API to manage DNS01 challenge records.
3274 type: object
3275 properties:
3276 apiKeySecretRef:
3277 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
3278 type: object
3279 required:
3280 - name
3281 properties:
3282 key:
3283 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3284 type: string
3285 name:
3286 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3287 type: string
3288 apiTokenSecretRef:
3289 description: API token used to authenticate with Cloudflare.
3290 type: object
3291 required:
3292 - name
3293 properties:
3294 key:
3295 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3296 type: string
3297 name:
3298 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3299 type: string
3300 email:
3301 description: Email of the account, only required when using API key based authentication.
3302 type: string
3303 cnameStrategy:
3304 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
3305 type: string
3306 enum:
3307 - None
3308 - Follow
3309 digitalocean:
3310 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
3311 type: object
3312 required:
3313 - tokenSecretRef
3314 properties:
3315 tokenSecretRef:
3316 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3317 type: object
3318 required:
3319 - name
3320 properties:
3321 key:
3322 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3323 type: string
3324 name:
3325 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3326 type: string
3327 rfc2136:
3328 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
3329 type: object
3330 required:
3331 - nameserver
3332 properties:
3333 nameserver:
3334 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
3335 type: string
3336 tsigAlgorithm:
3337 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
3338 type: string
3339 tsigKeyName:
3340 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
3341 type: string
3342 tsigSecretSecretRef:
3343 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
3344 type: object
3345 required:
3346 - name
3347 properties:
3348 key:
3349 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3350 type: string
3351 name:
3352 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3353 type: string
3354 route53:
3355 description: Use the AWS Route53 API to manage DNS01 challenge records.
3356 type: object
3357 required:
3358 - region
3359 properties:
3360 accessKeyID:
3361 description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
3362 type: string
3363 accessKeyIDSecretRef:
3364 description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
3365 type: object
3366 required:
3367 - name
3368 properties:
3369 key:
3370 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3371 type: string
3372 name:
3373 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3374 type: string
3375 hostedZoneID:
3376 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
3377 type: string
3378 region:
3379 description: Always set the region when using AccessKeyID and SecretAccessKey
3380 type: string
3381 role:
3382 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
3383 type: string
3384 secretAccessKeySecretRef:
3385 description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
3386 type: object
3387 required:
3388 - name
3389 properties:
3390 key:
3391 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3392 type: string
3393 name:
3394 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3395 type: string
3396 webhook:
3397 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
3398 type: object
3399 required:
3400 - groupName
3401 - solverName
3402 properties:
3403 config:
3404 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
3405 x-kubernetes-preserve-unknown-fields: true
3406 groupName:
3407 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
3408 type: string
3409 solverName:
3410 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
3411 type: string
3412 http01:
3413 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
3414 type: object
3415 properties:
3416 gatewayHTTPRoute:
3417 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
3418 type: object
3419 properties:
3420 labels:
3421 description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges.
3422 type: object
3423 additionalProperties:
3424 type: string
3425 parentRefs:
3426 description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways'
3427 type: array
3428 items:
3429 description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid."
3430 type: object
3431 required:
3432 - name
3433 properties:
3434 group:
3435 description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core"
3436 type: string
3437 default: gateway.networking.k8s.io
3438 maxLength: 253
3439 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
3440 kind:
3441 description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)"
3442 type: string
3443 default: Gateway
3444 maxLength: 63
3445 minLength: 1
3446 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
3447 name:
3448 description: "Name is the name of the referent. \n Support: Core"
3449 type: string
3450 maxLength: 253
3451 minLength: 1
3452 namespace:
3453 description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core"
3454 type: string
3455 maxLength: 63
3456 minLength: 1
3457 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
3458 port:
3459 description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n <gateway:experimental>"
3460 type: integer
3461 format: int32
3462 maximum: 65535
3463 minimum: 1
3464 sectionName:
3465 description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core"
3466 type: string
3467 maxLength: 253
3468 minLength: 1
3469 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
3470 serviceType:
3471 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
3472 type: string
3473 ingress:
3474 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
3475 type: object
3476 properties:
3477 class:
3478 description: This field configures the annotation `kubernetes.io/ingress.class` when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of `class`, `name` or `ingressClassName` may be specified.
3479 type: string
3480 ingressClassName:
3481 description: This field configures the field `ingressClassName` on the created Ingress resources used to solve ACME challenges that use this challenge solver. This is the recommended way of configuring the ingress class. Only one of `class`, `name` or `ingressClassName` may be specified.
3482 type: string
3483 ingressTemplate:
3484 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
3485 type: object
3486 properties:
3487 metadata:
3488 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
3489 type: object
3490 properties:
3491 annotations:
3492 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
3493 type: object
3494 additionalProperties:
3495 type: string
3496 labels:
3497 description: Labels that should be added to the created ACME HTTP01 solver ingress.
3498 type: object
3499 additionalProperties:
3500 type: string
3501 name:
3502 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. Only one of `class`, `name` or `ingressClassName` may be specified.
3503 type: string
3504 podTemplate:
3505 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
3506 type: object
3507 properties:
3508 metadata:
3509 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
3510 type: object
3511 properties:
3512 annotations:
3513 description: Annotations that should be added to the create ACME HTTP01 solver pods.
3514 type: object
3515 additionalProperties:
3516 type: string
3517 labels:
3518 description: Labels that should be added to the created ACME HTTP01 solver pods.
3519 type: object
3520 additionalProperties:
3521 type: string
3522 spec:
3523 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. All other fields will be ignored.
3524 type: object
3525 properties:
3526 affinity:
3527 description: If specified, the pod's scheduling constraints
3528 type: object
3529 properties:
3530 nodeAffinity:
3531 description: Describes node affinity scheduling rules for the pod.
3532 type: object
3533 properties:
3534 preferredDuringSchedulingIgnoredDuringExecution:
3535 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
3536 type: array
3537 items:
3538 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
3539 type: object
3540 required:
3541 - preference
3542 - weight
3543 properties:
3544 preference:
3545 description: A node selector term, associated with the corresponding weight.
3546 type: object
3547 properties:
3548 matchExpressions:
3549 description: A list of node selector requirements by node's labels.
3550 type: array
3551 items:
3552 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3553 type: object
3554 required:
3555 - key
3556 - operator
3557 properties:
3558 key:
3559 description: The label key that the selector applies to.
3560 type: string
3561 operator:
3562 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
3563 type: string
3564 values:
3565 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
3566 type: array
3567 items:
3568 type: string
3569 matchFields:
3570 description: A list of node selector requirements by node's fields.
3571 type: array
3572 items:
3573 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3574 type: object
3575 required:
3576 - key
3577 - operator
3578 properties:
3579 key:
3580 description: The label key that the selector applies to.
3581 type: string
3582 operator:
3583 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
3584 type: string
3585 values:
3586 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
3587 type: array
3588 items:
3589 type: string
3590 x-kubernetes-map-type: atomic
3591 weight:
3592 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
3593 type: integer
3594 format: int32
3595 requiredDuringSchedulingIgnoredDuringExecution:
3596 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
3597 type: object
3598 required:
3599 - nodeSelectorTerms
3600 properties:
3601 nodeSelectorTerms:
3602 description: Required. A list of node selector terms. The terms are ORed.
3603 type: array
3604 items:
3605 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
3606 type: object
3607 properties:
3608 matchExpressions:
3609 description: A list of node selector requirements by node's labels.
3610 type: array
3611 items:
3612 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3613 type: object
3614 required:
3615 - key
3616 - operator
3617 properties:
3618 key:
3619 description: The label key that the selector applies to.
3620 type: string
3621 operator:
3622 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
3623 type: string
3624 values:
3625 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
3626 type: array
3627 items:
3628 type: string
3629 matchFields:
3630 description: A list of node selector requirements by node's fields.
3631 type: array
3632 items:
3633 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3634 type: object
3635 required:
3636 - key
3637 - operator
3638 properties:
3639 key:
3640 description: The label key that the selector applies to.
3641 type: string
3642 operator:
3643 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
3644 type: string
3645 values:
3646 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
3647 type: array
3648 items:
3649 type: string
3650 x-kubernetes-map-type: atomic
3651 x-kubernetes-map-type: atomic
3652 podAffinity:
3653 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
3654 type: object
3655 properties:
3656 preferredDuringSchedulingIgnoredDuringExecution:
3657 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
3658 type: array
3659 items:
3660 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
3661 type: object
3662 required:
3663 - podAffinityTerm
3664 - weight
3665 properties:
3666 podAffinityTerm:
3667 description: Required. A pod affinity term, associated with the corresponding weight.
3668 type: object
3669 required:
3670 - topologyKey
3671 properties:
3672 labelSelector:
3673 description: A label query over a set of resources, in this case pods.
3674 type: object
3675 properties:
3676 matchExpressions:
3677 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3678 type: array
3679 items:
3680 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3681 type: object
3682 required:
3683 - key
3684 - operator
3685 properties:
3686 key:
3687 description: key is the label key that the selector applies to.
3688 type: string
3689 operator:
3690 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3691 type: string
3692 values:
3693 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3694 type: array
3695 items:
3696 type: string
3697 matchLabels:
3698 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3699 type: object
3700 additionalProperties:
3701 type: string
3702 x-kubernetes-map-type: atomic
3703 namespaceSelector:
3704 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
3705 type: object
3706 properties:
3707 matchExpressions:
3708 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3709 type: array
3710 items:
3711 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3712 type: object
3713 required:
3714 - key
3715 - operator
3716 properties:
3717 key:
3718 description: key is the label key that the selector applies to.
3719 type: string
3720 operator:
3721 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3722 type: string
3723 values:
3724 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3725 type: array
3726 items:
3727 type: string
3728 matchLabels:
3729 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3730 type: object
3731 additionalProperties:
3732 type: string
3733 x-kubernetes-map-type: atomic
3734 namespaces:
3735 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
3736 type: array
3737 items:
3738 type: string
3739 topologyKey:
3740 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
3741 type: string
3742 weight:
3743 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
3744 type: integer
3745 format: int32
3746 requiredDuringSchedulingIgnoredDuringExecution:
3747 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
3748 type: array
3749 items:
3750 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
3751 type: object
3752 required:
3753 - topologyKey
3754 properties:
3755 labelSelector:
3756 description: A label query over a set of resources, in this case pods.
3757 type: object
3758 properties:
3759 matchExpressions:
3760 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3761 type: array
3762 items:
3763 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3764 type: object
3765 required:
3766 - key
3767 - operator
3768 properties:
3769 key:
3770 description: key is the label key that the selector applies to.
3771 type: string
3772 operator:
3773 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3774 type: string
3775 values:
3776 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3777 type: array
3778 items:
3779 type: string
3780 matchLabels:
3781 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3782 type: object
3783 additionalProperties:
3784 type: string
3785 x-kubernetes-map-type: atomic
3786 namespaceSelector:
3787 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
3788 type: object
3789 properties:
3790 matchExpressions:
3791 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3792 type: array
3793 items:
3794 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3795 type: object
3796 required:
3797 - key
3798 - operator
3799 properties:
3800 key:
3801 description: key is the label key that the selector applies to.
3802 type: string
3803 operator:
3804 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3805 type: string
3806 values:
3807 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3808 type: array
3809 items:
3810 type: string
3811 matchLabels:
3812 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3813 type: object
3814 additionalProperties:
3815 type: string
3816 x-kubernetes-map-type: atomic
3817 namespaces:
3818 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
3819 type: array
3820 items:
3821 type: string
3822 topologyKey:
3823 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
3824 type: string
3825 podAntiAffinity:
3826 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
3827 type: object
3828 properties:
3829 preferredDuringSchedulingIgnoredDuringExecution:
3830 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
3831 type: array
3832 items:
3833 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
3834 type: object
3835 required:
3836 - podAffinityTerm
3837 - weight
3838 properties:
3839 podAffinityTerm:
3840 description: Required. A pod affinity term, associated with the corresponding weight.
3841 type: object
3842 required:
3843 - topologyKey
3844 properties:
3845 labelSelector:
3846 description: A label query over a set of resources, in this case pods.
3847 type: object
3848 properties:
3849 matchExpressions:
3850 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3851 type: array
3852 items:
3853 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3854 type: object
3855 required:
3856 - key
3857 - operator
3858 properties:
3859 key:
3860 description: key is the label key that the selector applies to.
3861 type: string
3862 operator:
3863 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3864 type: string
3865 values:
3866 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3867 type: array
3868 items:
3869 type: string
3870 matchLabels:
3871 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3872 type: object
3873 additionalProperties:
3874 type: string
3875 x-kubernetes-map-type: atomic
3876 namespaceSelector:
3877 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
3878 type: object
3879 properties:
3880 matchExpressions:
3881 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3882 type: array
3883 items:
3884 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3885 type: object
3886 required:
3887 - key
3888 - operator
3889 properties:
3890 key:
3891 description: key is the label key that the selector applies to.
3892 type: string
3893 operator:
3894 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3895 type: string
3896 values:
3897 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3898 type: array
3899 items:
3900 type: string
3901 matchLabels:
3902 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3903 type: object
3904 additionalProperties:
3905 type: string
3906 x-kubernetes-map-type: atomic
3907 namespaces:
3908 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
3909 type: array
3910 items:
3911 type: string
3912 topologyKey:
3913 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
3914 type: string
3915 weight:
3916 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
3917 type: integer
3918 format: int32
3919 requiredDuringSchedulingIgnoredDuringExecution:
3920 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
3921 type: array
3922 items:
3923 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
3924 type: object
3925 required:
3926 - topologyKey
3927 properties:
3928 labelSelector:
3929 description: A label query over a set of resources, in this case pods.
3930 type: object
3931 properties:
3932 matchExpressions:
3933 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3934 type: array
3935 items:
3936 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3937 type: object
3938 required:
3939 - key
3940 - operator
3941 properties:
3942 key:
3943 description: key is the label key that the selector applies to.
3944 type: string
3945 operator:
3946 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3947 type: string
3948 values:
3949 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3950 type: array
3951 items:
3952 type: string
3953 matchLabels:
3954 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3955 type: object
3956 additionalProperties:
3957 type: string
3958 x-kubernetes-map-type: atomic
3959 namespaceSelector:
3960 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
3961 type: object
3962 properties:
3963 matchExpressions:
3964 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3965 type: array
3966 items:
3967 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3968 type: object
3969 required:
3970 - key
3971 - operator
3972 properties:
3973 key:
3974 description: key is the label key that the selector applies to.
3975 type: string
3976 operator:
3977 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3978 type: string
3979 values:
3980 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3981 type: array
3982 items:
3983 type: string
3984 matchLabels:
3985 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3986 type: object
3987 additionalProperties:
3988 type: string
3989 x-kubernetes-map-type: atomic
3990 namespaces:
3991 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
3992 type: array
3993 items:
3994 type: string
3995 topologyKey:
3996 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
3997 type: string
3998 imagePullSecrets:
3999 description: If specified, the pod's imagePullSecrets
4000 type: array
4001 items:
4002 description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.
4003 type: object
4004 properties:
4005 name:
4006 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
4007 type: string
4008 x-kubernetes-map-type: atomic
4009 nodeSelector:
4010 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
4011 type: object
4012 additionalProperties:
4013 type: string
4014 priorityClassName:
4015 description: If specified, the pod's priorityClassName.
4016 type: string
4017 serviceAccountName:
4018 description: If specified, the pod's service account
4019 type: string
4020 tolerations:
4021 description: If specified, the pod's tolerations.
4022 type: array
4023 items:
4024 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
4025 type: object
4026 properties:
4027 effect:
4028 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
4029 type: string
4030 key:
4031 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
4032 type: string
4033 operator:
4034 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
4035 type: string
4036 tolerationSeconds:
4037 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
4038 type: integer
4039 format: int64
4040 value:
4041 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
4042 type: string
4043 serviceType:
4044 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
4045 type: string
4046 selector:
4047 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
4048 type: object
4049 properties:
4050 dnsNames:
4051 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
4052 type: array
4053 items:
4054 type: string
4055 dnsZones:
4056 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
4057 type: array
4058 items:
4059 type: string
4060 matchLabels:
4061 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
4062 type: object
4063 additionalProperties:
4064 type: string
4065 ca:
4066 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
4067 type: object
4068 required:
4069 - secretName
4070 properties:
4071 crlDistributionPoints:
4072 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
4073 type: array
4074 items:
4075 type: string
4076 ocspServers:
4077 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
4078 type: array
4079 items:
4080 type: string
4081 secretName:
4082 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
4083 type: string
4084 selfSigned:
4085 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
4086 type: object
4087 properties:
4088 crlDistributionPoints:
4089 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
4090 type: array
4091 items:
4092 type: string
4093 vault:
4094 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
4095 type: object
4096 required:
4097 - auth
4098 - path
4099 - server
4100 properties:
4101 auth:
4102 description: Auth configures how cert-manager authenticates with the Vault server.
4103 type: object
4104 properties:
4105 appRole:
4106 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
4107 type: object
4108 required:
4109 - path
4110 - roleId
4111 - secretRef
4112 properties:
4113 path:
4114 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
4115 type: string
4116 roleId:
4117 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
4118 type: string
4119 secretRef:
4120 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
4121 type: object
4122 required:
4123 - name
4124 properties:
4125 key:
4126 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4127 type: string
4128 name:
4129 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4130 type: string
4131 kubernetes:
4132 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
4133 type: object
4134 required:
4135 - role
4136 properties:
4137 mountPath:
4138 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
4139 type: string
4140 role:
4141 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
4142 type: string
4143 secretRef:
4144 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
4145 type: object
4146 required:
4147 - name
4148 properties:
4149 key:
4150 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4151 type: string
4152 name:
4153 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4154 type: string
4155 serviceAccountRef:
4156 description: A reference to a service account that will be used to request a bound token (also known as "projected token"). Compared to using "secretRef", using this field means that you don't rely on statically bound tokens. To use this field, you must configure an RBAC rule to let cert-manager request a token.
4157 type: object
4158 required:
4159 - name
4160 properties:
4161 name:
4162 description: Name of the ServiceAccount used to request a token.
4163 type: string
4164 tokenSecretRef:
4165 description: TokenSecretRef authenticates with Vault by presenting a token.
4166 type: object
4167 required:
4168 - name
4169 properties:
4170 key:
4171 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4172 type: string
4173 name:
4174 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4175 type: string
4176 caBundle:
4177 description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by Vault. Only used if using HTTPS to connect to Vault and ignored for HTTP connections. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection.
4178 type: string
4179 format: byte
4180 caBundleSecretRef:
4181 description: Reference to a Secret containing a bundle of PEM-encoded CAs to use when verifying the certificate chain presented by Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
4182 type: object
4183 required:
4184 - name
4185 properties:
4186 key:
4187 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4188 type: string
4189 name:
4190 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4191 type: string
4192 namespace:
4193 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
4194 type: string
4195 path:
4196 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
4197 type: string
4198 server:
4199 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
4200 type: string
4201 venafi:
4202 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
4203 type: object
4204 required:
4205 - zone
4206 properties:
4207 cloud:
4208 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
4209 type: object
4210 required:
4211 - apiTokenSecretRef
4212 properties:
4213 apiTokenSecretRef:
4214 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
4215 type: object
4216 required:
4217 - name
4218 properties:
4219 key:
4220 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4221 type: string
4222 name:
4223 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4224 type: string
4225 url:
4226 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
4227 type: string
4228 tpp:
4229 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
4230 type: object
4231 required:
4232 - credentialsRef
4233 - url
4234 properties:
4235 caBundle:
4236 description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. If undefined, the certificate bundle in the cert-manager controller container is used to validate the chain.
4237 type: string
4238 format: byte
4239 credentialsRef:
4240 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
4241 type: object
4242 required:
4243 - name
4244 properties:
4245 name:
4246 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4247 type: string
4248 url:
4249 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
4250 type: string
4251 zone:
4252 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
4253 type: string
4254 status:
4255 description: Status of the Issuer. This is set and managed automatically.
4256 type: object
4257 properties:
4258 acme:
4259 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
4260 type: object
4261 properties:
4262 lastPrivateKeyHash:
4263 description: LastPrivateKeyHash is a hash of the private key associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
4264 type: string
4265 lastRegisteredEmail:
4266 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
4267 type: string
4268 uri:
4269 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
4270 type: string
4271 conditions:
4272 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
4273 type: array
4274 items:
4275 description: IssuerCondition contains condition information for an Issuer.
4276 type: object
4277 required:
4278 - status
4279 - type
4280 properties:
4281 lastTransitionTime:
4282 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
4283 type: string
4284 format: date-time
4285 message:
4286 description: Message is a human readable description of the details of the last transition, complementing reason.
4287 type: string
4288 observedGeneration:
4289 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
4290 type: integer
4291 format: int64
4292 reason:
4293 description: Reason is a brief machine readable explanation for the condition's last transition.
4294 type: string
4295 status:
4296 description: Status of the condition, one of (`True`, `False`, `Unknown`).
4297 type: string
4298 enum:
4299 - "True"
4300 - "False"
4301 - Unknown
4302 type:
4303 description: Type of the condition, known values are (`Ready`).
4304 type: string
4305 x-kubernetes-list-map-keys:
4306 - type
4307 x-kubernetes-list-type: map
4308 served: true
4309 storage: true
4310---
4311# Source: cert-manager/templates/crds.yaml
4312apiVersion: apiextensions.k8s.io/v1
4313kind: CustomResourceDefinition
4314metadata:
4315 name: orders.acme.cert-manager.io
4316 labels:
4317 app: 'cert-manager'
4318 app.kubernetes.io/name: 'cert-manager'
4319 app.kubernetes.io/instance: 'cert-manager'
4320 # Generated labels
4321 app.kubernetes.io/version: "v1.12.0"
4322spec:
4323 group: acme.cert-manager.io
4324 names:
4325 kind: Order
4326 listKind: OrderList
4327 plural: orders
4328 singular: order
4329 categories:
4330 - cert-manager
4331 - cert-manager-acme
4332 scope: Namespaced
4333 versions:
4334 - name: v1
4335 subresources:
4336 status: {}
4337 additionalPrinterColumns:
4338 - jsonPath: .status.state
4339 name: State
4340 type: string
4341 - jsonPath: .spec.issuerRef.name
4342 name: Issuer
4343 priority: 1
4344 type: string
4345 - jsonPath: .status.reason
4346 name: Reason
4347 priority: 1
4348 type: string
4349 - jsonPath: .metadata.creationTimestamp
4350 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
4351 name: Age
4352 type: date
4353 schema:
4354 openAPIV3Schema:
4355 description: Order is a type to represent an Order with an ACME server
4356 type: object
4357 required:
4358 - metadata
4359 - spec
4360 properties:
4361 apiVersion:
4362 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
4363 type: string
4364 kind:
4365 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
4366 type: string
4367 metadata:
4368 type: object
4369 spec:
4370 type: object
4371 required:
4372 - issuerRef
4373 - request
4374 properties:
4375 commonName:
4376 description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
4377 type: string
4378 dnsNames:
4379 description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
4380 type: array
4381 items:
4382 type: string
4383 duration:
4384 description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
4385 type: string
4386 ipAddresses:
4387 description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
4388 type: array
4389 items:
4390 type: string
4391 issuerRef:
4392 description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
4393 type: object
4394 required:
4395 - name
4396 properties:
4397 group:
4398 description: Group of the resource being referred to.
4399 type: string
4400 kind:
4401 description: Kind of the resource being referred to.
4402 type: string
4403 name:
4404 description: Name of the resource being referred to.
4405 type: string
4406 request:
4407 description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
4408 type: string
4409 format: byte
4410 status:
4411 type: object
4412 properties:
4413 authorizations:
4414 description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.
4415 type: array
4416 items:
4417 description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
4418 type: object
4419 required:
4420 - url
4421 properties:
4422 challenges:
4423 description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
4424 type: array
4425 items:
4426 description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
4427 type: object
4428 required:
4429 - token
4430 - type
4431 - url
4432 properties:
4433 token:
4434 description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
4435 type: string
4436 type:
4437 description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.
4438 type: string
4439 url:
4440 description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
4441 type: string
4442 identifier:
4443 description: Identifier is the DNS name to be validated as part of this authorization
4444 type: string
4445 initialState:
4446 description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.
4447 type: string
4448 enum:
4449 - valid
4450 - ready
4451 - pending
4452 - processing
4453 - invalid
4454 - expired
4455 - errored
4456 url:
4457 description: URL is the URL of the Authorization that must be completed
4458 type: string
4459 wildcard:
4460 description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
4461 type: boolean
4462 certificate:
4463 description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
4464 type: string
4465 format: byte
4466 failureTime:
4467 description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
4468 type: string
4469 format: date-time
4470 finalizeURL:
4471 description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
4472 type: string
4473 reason:
4474 description: Reason optionally provides more information about a why the order is in the current state.
4475 type: string
4476 state:
4477 description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
4478 type: string
4479 enum:
4480 - valid
4481 - ready
4482 - pending
4483 - processing
4484 - invalid
4485 - expired
4486 - errored
4487 url:
4488 description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
4489 type: string
4490 served: true
4491 storage: true
4492---
4493# Source: cert-manager/templates/cainjector-serviceaccount.yaml
4494apiVersion: v1
4495kind: ServiceAccount
4496automountServiceAccountToken: true
4497metadata:
4498 name: cert-manager-cainjector
4499 namespace: cert-manager
4500 labels:
4501 app: cainjector
4502 app.kubernetes.io/name: cainjector
4503 app.kubernetes.io/instance: cert-manager
4504 app.kubernetes.io/component: "cainjector"
4505 app.kubernetes.io/version: "v1.12.0"
4506---
4507# Source: cert-manager/templates/serviceaccount.yaml
4508apiVersion: v1
4509kind: ServiceAccount
4510automountServiceAccountToken: true
4511metadata:
4512 name: cert-manager
4513 namespace: cert-manager
4514 labels:
4515 app: cert-manager
4516 app.kubernetes.io/name: cert-manager
4517 app.kubernetes.io/instance: cert-manager
4518 app.kubernetes.io/component: "controller"
4519 app.kubernetes.io/version: "v1.12.0"
4520---
4521# Source: cert-manager/templates/webhook-serviceaccount.yaml
4522apiVersion: v1
4523kind: ServiceAccount
4524automountServiceAccountToken: true
4525metadata:
4526 name: cert-manager-webhook
4527 namespace: cert-manager
4528 labels:
4529 app: webhook
4530 app.kubernetes.io/name: webhook
4531 app.kubernetes.io/instance: cert-manager
4532 app.kubernetes.io/component: "webhook"
4533 app.kubernetes.io/version: "v1.12.0"
4534---
4535# Source: cert-manager/templates/webhook-config.yaml
4536apiVersion: v1
4537kind: ConfigMap
4538metadata:
4539 name: cert-manager-webhook
4540 namespace: cert-manager
4541 labels:
4542 app: webhook
4543 app.kubernetes.io/name: webhook
4544 app.kubernetes.io/instance: cert-manager
4545 app.kubernetes.io/component: "webhook"
4546 app.kubernetes.io/version: "v1.12.0"
4547data:
4548---
4549# Source: cert-manager/templates/cainjector-rbac.yaml
4550apiVersion: rbac.authorization.k8s.io/v1
4551kind: ClusterRole
4552metadata:
4553 name: cert-manager-cainjector
4554 labels:
4555 app: cainjector
4556 app.kubernetes.io/name: cainjector
4557 app.kubernetes.io/instance: cert-manager
4558 app.kubernetes.io/component: "cainjector"
4559 app.kubernetes.io/version: "v1.12.0"
4560rules:
4561 - apiGroups: ["cert-manager.io"]
4562 resources: ["certificates"]
4563 verbs: ["get", "list", "watch"]
4564 - apiGroups: [""]
4565 resources: ["secrets"]
4566 verbs: ["get", "list", "watch"]
4567 - apiGroups: [""]
4568 resources: ["events"]
4569 verbs: ["get", "create", "update", "patch"]
4570 - apiGroups: ["admissionregistration.k8s.io"]
4571 resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
4572 verbs: ["get", "list", "watch", "update", "patch"]
4573 - apiGroups: ["apiregistration.k8s.io"]
4574 resources: ["apiservices"]
4575 verbs: ["get", "list", "watch", "update", "patch"]
4576 - apiGroups: ["apiextensions.k8s.io"]
4577 resources: ["customresourcedefinitions"]
4578 verbs: ["get", "list", "watch", "update", "patch"]
4579---
4580# Source: cert-manager/templates/rbac.yaml
4581# Issuer controller role
4582apiVersion: rbac.authorization.k8s.io/v1
4583kind: ClusterRole
4584metadata:
4585 name: cert-manager-controller-issuers
4586 labels:
4587 app: cert-manager
4588 app.kubernetes.io/name: cert-manager
4589 app.kubernetes.io/instance: cert-manager
4590 app.kubernetes.io/component: "controller"
4591 app.kubernetes.io/version: "v1.12.0"
4592rules:
4593 - apiGroups: ["cert-manager.io"]
4594 resources: ["issuers", "issuers/status"]
4595 verbs: ["update", "patch"]
4596 - apiGroups: ["cert-manager.io"]
4597 resources: ["issuers"]
4598 verbs: ["get", "list", "watch"]
4599 - apiGroups: [""]
4600 resources: ["secrets"]
4601 verbs: ["get", "list", "watch", "create", "update", "delete"]
4602 - apiGroups: [""]
4603 resources: ["events"]
4604 verbs: ["create", "patch"]
4605---
4606# Source: cert-manager/templates/rbac.yaml
4607# ClusterIssuer controller role
4608apiVersion: rbac.authorization.k8s.io/v1
4609kind: ClusterRole
4610metadata:
4611 name: cert-manager-controller-clusterissuers
4612 labels:
4613 app: cert-manager
4614 app.kubernetes.io/name: cert-manager
4615 app.kubernetes.io/instance: cert-manager
4616 app.kubernetes.io/component: "controller"
4617 app.kubernetes.io/version: "v1.12.0"
4618rules:
4619 - apiGroups: ["cert-manager.io"]
4620 resources: ["clusterissuers", "clusterissuers/status"]
4621 verbs: ["update", "patch"]
4622 - apiGroups: ["cert-manager.io"]
4623 resources: ["clusterissuers"]
4624 verbs: ["get", "list", "watch"]
4625 - apiGroups: [""]
4626 resources: ["secrets"]
4627 verbs: ["get", "list", "watch", "create", "update", "delete"]
4628 - apiGroups: [""]
4629 resources: ["events"]
4630 verbs: ["create", "patch"]
4631---
4632# Source: cert-manager/templates/rbac.yaml
4633# Certificates controller role
4634apiVersion: rbac.authorization.k8s.io/v1
4635kind: ClusterRole
4636metadata:
4637 name: cert-manager-controller-certificates
4638 labels:
4639 app: cert-manager
4640 app.kubernetes.io/name: cert-manager
4641 app.kubernetes.io/instance: cert-manager
4642 app.kubernetes.io/component: "controller"
4643 app.kubernetes.io/version: "v1.12.0"
4644rules:
4645 - apiGroups: ["cert-manager.io"]
4646 resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
4647 verbs: ["update", "patch"]
4648 - apiGroups: ["cert-manager.io"]
4649 resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
4650 verbs: ["get", "list", "watch"]
4651 # We require these rules to support users with the OwnerReferencesPermissionEnforcement
4652 # admission controller enabled:
4653 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
4654 - apiGroups: ["cert-manager.io"]
4655 resources: ["certificates/finalizers", "certificaterequests/finalizers"]
4656 verbs: ["update"]
4657 - apiGroups: ["acme.cert-manager.io"]
4658 resources: ["orders"]
4659 verbs: ["create", "delete", "get", "list", "watch"]
4660 - apiGroups: [""]
4661 resources: ["secrets"]
4662 verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
4663 - apiGroups: [""]
4664 resources: ["events"]
4665 verbs: ["create", "patch"]
4666---
4667# Source: cert-manager/templates/rbac.yaml
4668# Orders controller role
4669apiVersion: rbac.authorization.k8s.io/v1
4670kind: ClusterRole
4671metadata:
4672 name: cert-manager-controller-orders
4673 labels:
4674 app: cert-manager
4675 app.kubernetes.io/name: cert-manager
4676 app.kubernetes.io/instance: cert-manager
4677 app.kubernetes.io/component: "controller"
4678 app.kubernetes.io/version: "v1.12.0"
4679rules:
4680 - apiGroups: ["acme.cert-manager.io"]
4681 resources: ["orders", "orders/status"]
4682 verbs: ["update", "patch"]
4683 - apiGroups: ["acme.cert-manager.io"]
4684 resources: ["orders", "challenges"]
4685 verbs: ["get", "list", "watch"]
4686 - apiGroups: ["cert-manager.io"]
4687 resources: ["clusterissuers", "issuers"]
4688 verbs: ["get", "list", "watch"]
4689 - apiGroups: ["acme.cert-manager.io"]
4690 resources: ["challenges"]
4691 verbs: ["create", "delete"]
4692 # We require these rules to support users with the OwnerReferencesPermissionEnforcement
4693 # admission controller enabled:
4694 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
4695 - apiGroups: ["acme.cert-manager.io"]
4696 resources: ["orders/finalizers"]
4697 verbs: ["update"]
4698 - apiGroups: [""]
4699 resources: ["secrets"]
4700 verbs: ["get", "list", "watch"]
4701 - apiGroups: [""]
4702 resources: ["events"]
4703 verbs: ["create", "patch"]
4704---
4705# Source: cert-manager/templates/rbac.yaml
4706# Challenges controller role
4707apiVersion: rbac.authorization.k8s.io/v1
4708kind: ClusterRole
4709metadata:
4710 name: cert-manager-controller-challenges
4711 labels:
4712 app: cert-manager
4713 app.kubernetes.io/name: cert-manager
4714 app.kubernetes.io/instance: cert-manager
4715 app.kubernetes.io/component: "controller"
4716 app.kubernetes.io/version: "v1.12.0"
4717rules:
4718 # Use to update challenge resource status
4719 - apiGroups: ["acme.cert-manager.io"]
4720 resources: ["challenges", "challenges/status"]
4721 verbs: ["update", "patch"]
4722 # Used to watch challenge resources
4723 - apiGroups: ["acme.cert-manager.io"]
4724 resources: ["challenges"]
4725 verbs: ["get", "list", "watch"]
4726 # Used to watch challenges, issuer and clusterissuer resources
4727 - apiGroups: ["cert-manager.io"]
4728 resources: ["issuers", "clusterissuers"]
4729 verbs: ["get", "list", "watch"]
4730 # Need to be able to retrieve ACME account private key to complete challenges
4731 - apiGroups: [""]
4732 resources: ["secrets"]
4733 verbs: ["get", "list", "watch"]
4734 # Used to create events
4735 - apiGroups: [""]
4736 resources: ["events"]
4737 verbs: ["create", "patch"]
4738 # HTTP01 rules
4739 - apiGroups: [""]
4740 resources: ["pods", "services"]
4741 verbs: ["get", "list", "watch", "create", "delete"]
4742 - apiGroups: ["networking.k8s.io"]
4743 resources: ["ingresses"]
4744 verbs: ["get", "list", "watch", "create", "delete", "update"]
4745 - apiGroups: [ "gateway.networking.k8s.io" ]
4746 resources: [ "httproutes" ]
4747 verbs: ["get", "list", "watch", "create", "delete", "update"]
4748 # We require the ability to specify a custom hostname when we are creating
4749 # new ingress resources.
4750 # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
4751 - apiGroups: ["route.openshift.io"]
4752 resources: ["routes/custom-host"]
4753 verbs: ["create"]
4754 # We require these rules to support users with the OwnerReferencesPermissionEnforcement
4755 # admission controller enabled:
4756 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
4757 - apiGroups: ["acme.cert-manager.io"]
4758 resources: ["challenges/finalizers"]
4759 verbs: ["update"]
4760 # DNS01 rules (duplicated above)
4761 - apiGroups: [""]
4762 resources: ["secrets"]
4763 verbs: ["get", "list", "watch"]
4764---
4765# Source: cert-manager/templates/rbac.yaml
4766# ingress-shim controller role
4767apiVersion: rbac.authorization.k8s.io/v1
4768kind: ClusterRole
4769metadata:
4770 name: cert-manager-controller-ingress-shim
4771 labels:
4772 app: cert-manager
4773 app.kubernetes.io/name: cert-manager
4774 app.kubernetes.io/instance: cert-manager
4775 app.kubernetes.io/component: "controller"
4776 app.kubernetes.io/version: "v1.12.0"
4777rules:
4778 - apiGroups: ["cert-manager.io"]
4779 resources: ["certificates", "certificaterequests"]
4780 verbs: ["create", "update", "delete"]
4781 - apiGroups: ["cert-manager.io"]
4782 resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
4783 verbs: ["get", "list", "watch"]
4784 - apiGroups: ["networking.k8s.io"]
4785 resources: ["ingresses"]
4786 verbs: ["get", "list", "watch"]
4787 # We require these rules to support users with the OwnerReferencesPermissionEnforcement
4788 # admission controller enabled:
4789 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
4790 - apiGroups: ["networking.k8s.io"]
4791 resources: ["ingresses/finalizers"]
4792 verbs: ["update"]
4793 - apiGroups: ["gateway.networking.k8s.io"]
4794 resources: ["gateways", "httproutes"]
4795 verbs: ["get", "list", "watch"]
4796 - apiGroups: ["gateway.networking.k8s.io"]
4797 resources: ["gateways/finalizers", "httproutes/finalizers"]
4798 verbs: ["update"]
4799 - apiGroups: [""]
4800 resources: ["events"]
4801 verbs: ["create", "patch"]
4802---
4803# Source: cert-manager/templates/rbac.yaml
4804apiVersion: rbac.authorization.k8s.io/v1
4805kind: ClusterRole
4806metadata:
4807 name: cert-manager-view
4808 labels:
4809 app: cert-manager
4810 app.kubernetes.io/name: cert-manager
4811 app.kubernetes.io/instance: cert-manager
4812 app.kubernetes.io/component: "controller"
4813 app.kubernetes.io/version: "v1.12.0"
4814 rbac.authorization.k8s.io/aggregate-to-view: "true"
4815 rbac.authorization.k8s.io/aggregate-to-edit: "true"
4816 rbac.authorization.k8s.io/aggregate-to-admin: "true"
4817rules:
4818 - apiGroups: ["cert-manager.io"]
4819 resources: ["certificates", "certificaterequests", "issuers"]
4820 verbs: ["get", "list", "watch"]
4821 - apiGroups: ["acme.cert-manager.io"]
4822 resources: ["challenges", "orders"]
4823 verbs: ["get", "list", "watch"]
4824---
4825# Source: cert-manager/templates/rbac.yaml
4826apiVersion: rbac.authorization.k8s.io/v1
4827kind: ClusterRole
4828metadata:
4829 name: cert-manager-edit
4830 labels:
4831 app: cert-manager
4832 app.kubernetes.io/name: cert-manager
4833 app.kubernetes.io/instance: cert-manager
4834 app.kubernetes.io/component: "controller"
4835 app.kubernetes.io/version: "v1.12.0"
4836 rbac.authorization.k8s.io/aggregate-to-edit: "true"
4837 rbac.authorization.k8s.io/aggregate-to-admin: "true"
4838rules:
4839 - apiGroups: ["cert-manager.io"]
4840 resources: ["certificates", "certificaterequests", "issuers"]
4841 verbs: ["create", "delete", "deletecollection", "patch", "update"]
4842 - apiGroups: ["cert-manager.io"]
4843 resources: ["certificates/status"]
4844 verbs: ["update"]
4845 - apiGroups: ["acme.cert-manager.io"]
4846 resources: ["challenges", "orders"]
4847 verbs: ["create", "delete", "deletecollection", "patch", "update"]
4848---
4849# Source: cert-manager/templates/rbac.yaml
4850# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
4851apiVersion: rbac.authorization.k8s.io/v1
4852kind: ClusterRole
4853metadata:
4854 name: cert-manager-controller-approve:cert-manager-io
4855 labels:
4856 app: cert-manager
4857 app.kubernetes.io/name: cert-manager
4858 app.kubernetes.io/instance: cert-manager
4859 app.kubernetes.io/component: "cert-manager"
4860 app.kubernetes.io/version: "v1.12.0"
4861rules:
4862 - apiGroups: ["cert-manager.io"]
4863 resources: ["signers"]
4864 verbs: ["approve"]
4865 resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
4866---
4867# Source: cert-manager/templates/rbac.yaml
4868# Permission to:
4869# - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers
4870# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
4871apiVersion: rbac.authorization.k8s.io/v1
4872kind: ClusterRole
4873metadata:
4874 name: cert-manager-controller-certificatesigningrequests
4875 labels:
4876 app: cert-manager
4877 app.kubernetes.io/name: cert-manager
4878 app.kubernetes.io/instance: cert-manager
4879 app.kubernetes.io/component: "cert-manager"
4880 app.kubernetes.io/version: "v1.12.0"
4881rules:
4882 - apiGroups: ["certificates.k8s.io"]
4883 resources: ["certificatesigningrequests"]
4884 verbs: ["get", "list", "watch", "update"]
4885 - apiGroups: ["certificates.k8s.io"]
4886 resources: ["certificatesigningrequests/status"]
4887 verbs: ["update", "patch"]
4888 - apiGroups: ["certificates.k8s.io"]
4889 resources: ["signers"]
4890 resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
4891 verbs: ["sign"]
4892 - apiGroups: ["authorization.k8s.io"]
4893 resources: ["subjectaccessreviews"]
4894 verbs: ["create"]
4895---
4896# Source: cert-manager/templates/webhook-rbac.yaml
4897apiVersion: rbac.authorization.k8s.io/v1
4898kind: ClusterRole
4899metadata:
4900 name: cert-manager-webhook:subjectaccessreviews
4901 labels:
4902 app: webhook
4903 app.kubernetes.io/name: webhook
4904 app.kubernetes.io/instance: cert-manager
4905 app.kubernetes.io/component: "webhook"
4906 app.kubernetes.io/version: "v1.12.0"
4907rules:
4908- apiGroups: ["authorization.k8s.io"]
4909 resources: ["subjectaccessreviews"]
4910 verbs: ["create"]
4911---
4912# Source: cert-manager/templates/cainjector-rbac.yaml
4913apiVersion: rbac.authorization.k8s.io/v1
4914kind: ClusterRoleBinding
4915metadata:
4916 name: cert-manager-cainjector
4917 labels:
4918 app: cainjector
4919 app.kubernetes.io/name: cainjector
4920 app.kubernetes.io/instance: cert-manager
4921 app.kubernetes.io/component: "cainjector"
4922 app.kubernetes.io/version: "v1.12.0"
4923roleRef:
4924 apiGroup: rbac.authorization.k8s.io
4925 kind: ClusterRole
4926 name: cert-manager-cainjector
4927subjects:
4928 - name: cert-manager-cainjector
4929 namespace: cert-manager
4930 kind: ServiceAccount
4931---
4932# Source: cert-manager/templates/rbac.yaml
4933apiVersion: rbac.authorization.k8s.io/v1
4934kind: ClusterRoleBinding
4935metadata:
4936 name: cert-manager-controller-issuers
4937 labels:
4938 app: cert-manager
4939 app.kubernetes.io/name: cert-manager
4940 app.kubernetes.io/instance: cert-manager
4941 app.kubernetes.io/component: "controller"
4942 app.kubernetes.io/version: "v1.12.0"
4943roleRef:
4944 apiGroup: rbac.authorization.k8s.io
4945 kind: ClusterRole
4946 name: cert-manager-controller-issuers
4947subjects:
4948 - name: cert-manager
4949 namespace: cert-manager
4950 kind: ServiceAccount
4951---
4952# Source: cert-manager/templates/rbac.yaml
4953apiVersion: rbac.authorization.k8s.io/v1
4954kind: ClusterRoleBinding
4955metadata:
4956 name: cert-manager-controller-clusterissuers
4957 labels:
4958 app: cert-manager
4959 app.kubernetes.io/name: cert-manager
4960 app.kubernetes.io/instance: cert-manager
4961 app.kubernetes.io/component: "controller"
4962 app.kubernetes.io/version: "v1.12.0"
4963roleRef:
4964 apiGroup: rbac.authorization.k8s.io
4965 kind: ClusterRole
4966 name: cert-manager-controller-clusterissuers
4967subjects:
4968 - name: cert-manager
4969 namespace: cert-manager
4970 kind: ServiceAccount
4971---
4972# Source: cert-manager/templates/rbac.yaml
4973apiVersion: rbac.authorization.k8s.io/v1
4974kind: ClusterRoleBinding
4975metadata:
4976 name: cert-manager-controller-certificates
4977 labels:
4978 app: cert-manager
4979 app.kubernetes.io/name: cert-manager
4980 app.kubernetes.io/instance: cert-manager
4981 app.kubernetes.io/component: "controller"
4982 app.kubernetes.io/version: "v1.12.0"
4983roleRef:
4984 apiGroup: rbac.authorization.k8s.io
4985 kind: ClusterRole
4986 name: cert-manager-controller-certificates
4987subjects:
4988 - name: cert-manager
4989 namespace: cert-manager
4990 kind: ServiceAccount
4991---
4992# Source: cert-manager/templates/rbac.yaml
4993apiVersion: rbac.authorization.k8s.io/v1
4994kind: ClusterRoleBinding
4995metadata:
4996 name: cert-manager-controller-orders
4997 labels:
4998 app: cert-manager
4999 app.kubernetes.io/name: cert-manager
5000 app.kubernetes.io/instance: cert-manager
5001 app.kubernetes.io/component: "controller"
5002 app.kubernetes.io/version: "v1.12.0"
5003roleRef:
5004 apiGroup: rbac.authorization.k8s.io
5005 kind: ClusterRole
5006 name: cert-manager-controller-orders
5007subjects:
5008 - name: cert-manager
5009 namespace: cert-manager
5010 kind: ServiceAccount
5011---
5012# Source: cert-manager/templates/rbac.yaml
5013apiVersion: rbac.authorization.k8s.io/v1
5014kind: ClusterRoleBinding
5015metadata:
5016 name: cert-manager-controller-challenges
5017 labels:
5018 app: cert-manager
5019 app.kubernetes.io/name: cert-manager
5020 app.kubernetes.io/instance: cert-manager
5021 app.kubernetes.io/component: "controller"
5022 app.kubernetes.io/version: "v1.12.0"
5023roleRef:
5024 apiGroup: rbac.authorization.k8s.io
5025 kind: ClusterRole
5026 name: cert-manager-controller-challenges
5027subjects:
5028 - name: cert-manager
5029 namespace: cert-manager
5030 kind: ServiceAccount
5031---
5032# Source: cert-manager/templates/rbac.yaml
5033apiVersion: rbac.authorization.k8s.io/v1
5034kind: ClusterRoleBinding
5035metadata:
5036 name: cert-manager-controller-ingress-shim
5037 labels:
5038 app: cert-manager
5039 app.kubernetes.io/name: cert-manager
5040 app.kubernetes.io/instance: cert-manager
5041 app.kubernetes.io/component: "controller"
5042 app.kubernetes.io/version: "v1.12.0"
5043roleRef:
5044 apiGroup: rbac.authorization.k8s.io
5045 kind: ClusterRole
5046 name: cert-manager-controller-ingress-shim
5047subjects:
5048 - name: cert-manager
5049 namespace: cert-manager
5050 kind: ServiceAccount
5051---
5052# Source: cert-manager/templates/rbac.yaml
5053apiVersion: rbac.authorization.k8s.io/v1
5054kind: ClusterRoleBinding
5055metadata:
5056 name: cert-manager-controller-approve:cert-manager-io
5057 labels:
5058 app: cert-manager
5059 app.kubernetes.io/name: cert-manager
5060 app.kubernetes.io/instance: cert-manager
5061 app.kubernetes.io/component: "cert-manager"
5062 app.kubernetes.io/version: "v1.12.0"
5063roleRef:
5064 apiGroup: rbac.authorization.k8s.io
5065 kind: ClusterRole
5066 name: cert-manager-controller-approve:cert-manager-io
5067subjects:
5068 - name: cert-manager
5069 namespace: cert-manager
5070 kind: ServiceAccount
5071---
5072# Source: cert-manager/templates/rbac.yaml
5073apiVersion: rbac.authorization.k8s.io/v1
5074kind: ClusterRoleBinding
5075metadata:
5076 name: cert-manager-controller-certificatesigningrequests
5077 labels:
5078 app: cert-manager
5079 app.kubernetes.io/name: cert-manager
5080 app.kubernetes.io/instance: cert-manager
5081 app.kubernetes.io/component: "cert-manager"
5082 app.kubernetes.io/version: "v1.12.0"
5083roleRef:
5084 apiGroup: rbac.authorization.k8s.io
5085 kind: ClusterRole
5086 name: cert-manager-controller-certificatesigningrequests
5087subjects:
5088 - name: cert-manager
5089 namespace: cert-manager
5090 kind: ServiceAccount
5091---
5092# Source: cert-manager/templates/webhook-rbac.yaml
5093apiVersion: rbac.authorization.k8s.io/v1
5094kind: ClusterRoleBinding
5095metadata:
5096 name: cert-manager-webhook:subjectaccessreviews
5097 labels:
5098 app: webhook
5099 app.kubernetes.io/name: webhook
5100 app.kubernetes.io/instance: cert-manager
5101 app.kubernetes.io/component: "webhook"
5102 app.kubernetes.io/version: "v1.12.0"
5103roleRef:
5104 apiGroup: rbac.authorization.k8s.io
5105 kind: ClusterRole
5106 name: cert-manager-webhook:subjectaccessreviews
5107subjects:
5108- apiGroup: ""
5109 kind: ServiceAccount
5110 name: cert-manager-webhook
5111 namespace: cert-manager
5112---
5113# Source: cert-manager/templates/cainjector-rbac.yaml
5114# leader election rules
5115apiVersion: rbac.authorization.k8s.io/v1
5116kind: Role
5117metadata:
5118 name: cert-manager-cainjector:leaderelection
5119 namespace: kube-system
5120 labels:
5121 app: cainjector
5122 app.kubernetes.io/name: cainjector
5123 app.kubernetes.io/instance: cert-manager
5124 app.kubernetes.io/component: "cainjector"
5125 app.kubernetes.io/version: "v1.12.0"
5126rules:
5127 # Used for leader election by the controller
5128 # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
5129 # see cmd/cainjector/start.go#L113
5130 # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
5131 # see cmd/cainjector/start.go#L137
5132 - apiGroups: ["coordination.k8s.io"]
5133 resources: ["leases"]
5134 resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
5135 verbs: ["get", "update", "patch"]
5136 - apiGroups: ["coordination.k8s.io"]
5137 resources: ["leases"]
5138 verbs: ["create"]
5139---
5140# Source: cert-manager/templates/rbac.yaml
5141apiVersion: rbac.authorization.k8s.io/v1
5142kind: Role
5143metadata:
5144 name: cert-manager:leaderelection
5145 namespace: kube-system
5146 labels:
5147 app: cert-manager
5148 app.kubernetes.io/name: cert-manager
5149 app.kubernetes.io/instance: cert-manager
5150 app.kubernetes.io/component: "controller"
5151 app.kubernetes.io/version: "v1.12.0"
5152rules:
5153 - apiGroups: ["coordination.k8s.io"]
5154 resources: ["leases"]
5155 resourceNames: ["cert-manager-controller"]
5156 verbs: ["get", "update", "patch"]
5157 - apiGroups: ["coordination.k8s.io"]
5158 resources: ["leases"]
5159 verbs: ["create"]
5160---
5161# Source: cert-manager/templates/webhook-rbac.yaml
5162apiVersion: rbac.authorization.k8s.io/v1
5163kind: Role
5164metadata:
5165 name: cert-manager-webhook:dynamic-serving
5166 namespace: cert-manager
5167 labels:
5168 app: webhook
5169 app.kubernetes.io/name: webhook
5170 app.kubernetes.io/instance: cert-manager
5171 app.kubernetes.io/component: "webhook"
5172 app.kubernetes.io/version: "v1.12.0"
5173rules:
5174- apiGroups: [""]
5175 resources: ["secrets"]
5176 resourceNames:
5177 - 'cert-manager-webhook-ca'
5178 verbs: ["get", "list", "watch", "update"]
5179# It's not possible to grant CREATE permission on a single resourceName.
5180- apiGroups: [""]
5181 resources: ["secrets"]
5182 verbs: ["create"]
5183---
5184# Source: cert-manager/templates/cainjector-rbac.yaml
5185# grant cert-manager permission to manage the leaderelection configmap in the
5186# leader election namespace
5187apiVersion: rbac.authorization.k8s.io/v1
5188kind: RoleBinding
5189metadata:
5190 name: cert-manager-cainjector:leaderelection
5191 namespace: kube-system
5192 labels:
5193 app: cainjector
5194 app.kubernetes.io/name: cainjector
5195 app.kubernetes.io/instance: cert-manager
5196 app.kubernetes.io/component: "cainjector"
5197 app.kubernetes.io/version: "v1.12.0"
5198roleRef:
5199 apiGroup: rbac.authorization.k8s.io
5200 kind: Role
5201 name: cert-manager-cainjector:leaderelection
5202subjects:
5203 - kind: ServiceAccount
5204 name: cert-manager-cainjector
5205 namespace: cert-manager
5206---
5207# Source: cert-manager/templates/rbac.yaml
5208# grant cert-manager permission to manage the leaderelection configmap in the
5209# leader election namespace
5210apiVersion: rbac.authorization.k8s.io/v1
5211kind: RoleBinding
5212metadata:
5213 name: cert-manager:leaderelection
5214 namespace: kube-system
5215 labels:
5216 app: cert-manager
5217 app.kubernetes.io/name: cert-manager
5218 app.kubernetes.io/instance: cert-manager
5219 app.kubernetes.io/component: "controller"
5220 app.kubernetes.io/version: "v1.12.0"
5221roleRef:
5222 apiGroup: rbac.authorization.k8s.io
5223 kind: Role
5224 name: cert-manager:leaderelection
5225subjects:
5226 - apiGroup: ""
5227 kind: ServiceAccount
5228 name: cert-manager
5229 namespace: cert-manager
5230---
5231# Source: cert-manager/templates/webhook-rbac.yaml
5232apiVersion: rbac.authorization.k8s.io/v1
5233kind: RoleBinding
5234metadata:
5235 name: cert-manager-webhook:dynamic-serving
5236 namespace: cert-manager
5237 labels:
5238 app: webhook
5239 app.kubernetes.io/name: webhook
5240 app.kubernetes.io/instance: cert-manager
5241 app.kubernetes.io/component: "webhook"
5242 app.kubernetes.io/version: "v1.12.0"
5243roleRef:
5244 apiGroup: rbac.authorization.k8s.io
5245 kind: Role
5246 name: cert-manager-webhook:dynamic-serving
5247subjects:
5248- apiGroup: ""
5249 kind: ServiceAccount
5250 name: cert-manager-webhook
5251 namespace: cert-manager
5252---
5253# Source: cert-manager/templates/service.yaml
5254apiVersion: v1
5255kind: Service
5256metadata:
5257 name: cert-manager
5258 namespace: cert-manager
5259 labels:
5260 app: cert-manager
5261 app.kubernetes.io/name: cert-manager
5262 app.kubernetes.io/instance: cert-manager
5263 app.kubernetes.io/component: "controller"
5264 app.kubernetes.io/version: "v1.12.0"
5265spec:
5266 type: ClusterIP
5267 ports:
5268 - protocol: TCP
5269 port: 9402
5270 name: tcp-prometheus-servicemonitor
5271 targetPort: 9402
5272 selector:
5273 app.kubernetes.io/name: cert-manager
5274 app.kubernetes.io/instance: cert-manager
5275 app.kubernetes.io/component: "controller"
5276---
5277# Source: cert-manager/templates/webhook-service.yaml
5278apiVersion: v1
5279kind: Service
5280metadata:
5281 name: cert-manager-webhook
5282 namespace: cert-manager
5283 labels:
5284 app: webhook
5285 app.kubernetes.io/name: webhook
5286 app.kubernetes.io/instance: cert-manager
5287 app.kubernetes.io/component: "webhook"
5288 app.kubernetes.io/version: "v1.12.0"
5289spec:
5290 type: ClusterIP
5291 ports:
5292 - name: https
5293 port: 443
5294 protocol: TCP
5295 targetPort: "https"
5296 selector:
5297 app.kubernetes.io/name: webhook
5298 app.kubernetes.io/instance: cert-manager
5299 app.kubernetes.io/component: "webhook"
5300---
5301# Source: cert-manager/templates/cainjector-deployment.yaml
5302apiVersion: apps/v1
5303kind: Deployment
5304metadata:
5305 name: cert-manager-cainjector
5306 namespace: cert-manager
5307 labels:
5308 app: cainjector
5309 app.kubernetes.io/name: cainjector
5310 app.kubernetes.io/instance: cert-manager
5311 app.kubernetes.io/component: "cainjector"
5312 app.kubernetes.io/version: "v1.12.0"
5313spec:
5314 replicas: 1
5315 selector:
5316 matchLabels:
5317 app.kubernetes.io/name: cainjector
5318 app.kubernetes.io/instance: cert-manager
5319 app.kubernetes.io/component: "cainjector"
5320 template:
5321 metadata:
5322 labels:
5323 app: cainjector
5324 app.kubernetes.io/name: cainjector
5325 app.kubernetes.io/instance: cert-manager
5326 app.kubernetes.io/component: "cainjector"
5327 app.kubernetes.io/version: "v1.12.0"
5328 spec:
5329 serviceAccountName: cert-manager-cainjector
5330 securityContext:
5331 runAsNonRoot: true
5332 seccompProfile:
5333 type: RuntimeDefault
5334 containers:
5335 - name: cert-manager-cainjector
5336 image: "quay.io/jetstack/cert-manager-cainjector:v1.12.0"
5337 imagePullPolicy: IfNotPresent
5338 args:
5339 - --v=2
5340 - --leader-election-namespace=kube-system
5341 env:
5342 - name: POD_NAMESPACE
5343 valueFrom:
5344 fieldRef:
5345 fieldPath: metadata.namespace
5346 securityContext:
5347 allowPrivilegeEscalation: false
5348 capabilities:
5349 drop:
5350 - ALL
5351 nodeSelector:
5352 kubernetes.io/os: linux
5353---
5354# Source: cert-manager/templates/deployment.yaml
5355apiVersion: apps/v1
5356kind: Deployment
5357metadata:
5358 name: cert-manager
5359 namespace: cert-manager
5360 labels:
5361 app: cert-manager
5362 app.kubernetes.io/name: cert-manager
5363 app.kubernetes.io/instance: cert-manager
5364 app.kubernetes.io/component: "controller"
5365 app.kubernetes.io/version: "v1.12.0"
5366spec:
5367 replicas: 1
5368 selector:
5369 matchLabels:
5370 app.kubernetes.io/name: cert-manager
5371 app.kubernetes.io/instance: cert-manager
5372 app.kubernetes.io/component: "controller"
5373 template:
5374 metadata:
5375 labels:
5376 app: cert-manager
5377 app.kubernetes.io/name: cert-manager
5378 app.kubernetes.io/instance: cert-manager
5379 app.kubernetes.io/component: "controller"
5380 app.kubernetes.io/version: "v1.12.0"
5381 annotations:
5382 prometheus.io/path: "/metrics"
5383 prometheus.io/scrape: 'true'
5384 prometheus.io/port: '9402'
5385 spec:
5386 serviceAccountName: cert-manager
5387 securityContext:
5388 runAsNonRoot: true
5389 seccompProfile:
5390 type: RuntimeDefault
5391 containers:
5392 - name: cert-manager-controller
5393 image: "quay.io/jetstack/cert-manager-controller:v1.12.0"
5394 imagePullPolicy: IfNotPresent
5395 args:
5396 - --v=2
5397 - --cluster-resource-namespace=$(POD_NAMESPACE)
5398 - --leader-election-namespace=kube-system
5399 - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.12.0
5400 - --max-concurrent-challenges=60
5401 ports:
5402 - containerPort: 9402
5403 name: http-metrics
5404 protocol: TCP
5405 - containerPort: 9403
5406 name: http-healthz
5407 protocol: TCP
5408 securityContext:
5409 allowPrivilegeEscalation: false
5410 capabilities:
5411 drop:
5412 - ALL
5413 env:
5414 - name: POD_NAMESPACE
5415 valueFrom:
5416 fieldRef:
5417 fieldPath: metadata.namespace
5418 nodeSelector:
5419 kubernetes.io/os: linux
5420---
5421# Source: cert-manager/templates/webhook-deployment.yaml
5422apiVersion: apps/v1
5423kind: Deployment
5424metadata:
5425 name: cert-manager-webhook
5426 namespace: cert-manager
5427 labels:
5428 app: webhook
5429 app.kubernetes.io/name: webhook
5430 app.kubernetes.io/instance: cert-manager
5431 app.kubernetes.io/component: "webhook"
5432 app.kubernetes.io/version: "v1.12.0"
5433spec:
5434 replicas: 1
5435 selector:
5436 matchLabels:
5437 app.kubernetes.io/name: webhook
5438 app.kubernetes.io/instance: cert-manager
5439 app.kubernetes.io/component: "webhook"
5440 template:
5441 metadata:
5442 labels:
5443 app: webhook
5444 app.kubernetes.io/name: webhook
5445 app.kubernetes.io/instance: cert-manager
5446 app.kubernetes.io/component: "webhook"
5447 app.kubernetes.io/version: "v1.12.0"
5448 spec:
5449 serviceAccountName: cert-manager-webhook
5450 securityContext:
5451 runAsNonRoot: true
5452 seccompProfile:
5453 type: RuntimeDefault
5454 containers:
5455 - name: cert-manager-webhook
5456 image: "quay.io/jetstack/cert-manager-webhook:v1.12.0"
5457 imagePullPolicy: IfNotPresent
5458 args:
5459 - --v=2
5460 - --secure-port=10250
5461 - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
5462 - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
5463 - --dynamic-serving-dns-names=cert-manager-webhook
5464 - --dynamic-serving-dns-names=cert-manager-webhook.$(POD_NAMESPACE)
5465 - --dynamic-serving-dns-names=cert-manager-webhook.$(POD_NAMESPACE).svc
5466
5467 ports:
5468 - name: https
5469 protocol: TCP
5470 containerPort: 10250
5471 - name: healthcheck
5472 protocol: TCP
5473 containerPort: 6080
5474 livenessProbe:
5475 httpGet:
5476 path: /livez
5477 port: 6080
5478 scheme: HTTP
5479 initialDelaySeconds: 60
5480 periodSeconds: 10
5481 timeoutSeconds: 1
5482 successThreshold: 1
5483 failureThreshold: 3
5484 readinessProbe:
5485 httpGet:
5486 path: /healthz
5487 port: 6080
5488 scheme: HTTP
5489 initialDelaySeconds: 5
5490 periodSeconds: 5
5491 timeoutSeconds: 1
5492 successThreshold: 1
5493 failureThreshold: 3
5494 securityContext:
5495 allowPrivilegeEscalation: false
5496 capabilities:
5497 drop:
5498 - ALL
5499 env:
5500 - name: POD_NAMESPACE
5501 valueFrom:
5502 fieldRef:
5503 fieldPath: metadata.namespace
5504 nodeSelector:
5505 kubernetes.io/os: linux
5506---
5507# Source: cert-manager/templates/webhook-mutating-webhook.yaml
5508apiVersion: admissionregistration.k8s.io/v1
5509kind: MutatingWebhookConfiguration
5510metadata:
5511 name: cert-manager-webhook
5512 labels:
5513 app: webhook
5514 app.kubernetes.io/name: webhook
5515 app.kubernetes.io/instance: cert-manager
5516 app.kubernetes.io/component: "webhook"
5517 app.kubernetes.io/version: "v1.12.0"
5518 annotations:
5519 cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
5520webhooks:
5521 - name: webhook.cert-manager.io
5522 rules:
5523 - apiGroups:
5524 - "cert-manager.io"
5525 - "acme.cert-manager.io"
5526 apiVersions:
5527 - "v1"
5528 operations:
5529 - CREATE
5530 - UPDATE
5531 resources:
5532 - "*/*"
5533 admissionReviewVersions: ["v1"]
5534 # This webhook only accepts v1 cert-manager resources.
5535 # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
5536 # this webhook (after the resources have been converted to v1).
5537 matchPolicy: Equivalent
5538 timeoutSeconds: 10
5539 failurePolicy: Fail
5540 # Only include 'sideEffects' field in Kubernetes 1.12+
5541 sideEffects: None
5542 clientConfig:
5543 service:
5544 name: cert-manager-webhook
5545 namespace: cert-manager
5546 path: /mutate
5547---
5548# Source: cert-manager/templates/webhook-validating-webhook.yaml
5549apiVersion: admissionregistration.k8s.io/v1
5550kind: ValidatingWebhookConfiguration
5551metadata:
5552 name: cert-manager-webhook
5553 labels:
5554 app: webhook
5555 app.kubernetes.io/name: webhook
5556 app.kubernetes.io/instance: cert-manager
5557 app.kubernetes.io/component: "webhook"
5558 app.kubernetes.io/version: "v1.12.0"
5559 annotations:
5560 cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
5561webhooks:
5562 - name: webhook.cert-manager.io
5563 namespaceSelector:
5564 matchExpressions:
5565 - key: "cert-manager.io/disable-validation"
5566 operator: "NotIn"
5567 values:
5568 - "true"
5569 - key: "name"
5570 operator: "NotIn"
5571 values:
5572 - cert-manager
5573 rules:
5574 - apiGroups:
5575 - "cert-manager.io"
5576 - "acme.cert-manager.io"
5577 apiVersions:
5578 - "v1"
5579 operations:
5580 - CREATE
5581 - UPDATE
5582 resources:
5583 - "*/*"
5584 admissionReviewVersions: ["v1"]
5585 # This webhook only accepts v1 cert-manager resources.
5586 # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
5587 # this webhook (after the resources have been converted to v1).
5588 matchPolicy: Equivalent
5589 timeoutSeconds: 10
5590 failurePolicy: Fail
5591 sideEffects: None
5592 clientConfig:
5593 service:
5594 name: cert-manager-webhook
5595 namespace: cert-manager
5596 path: /validate