cert-manager.crds.yaml 377 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059306030613062306330643065306630673068306930703071307230733074307530763077307830793080308130823083308430853086308730883089309030913092309330943095309630973098309931003101310231033104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146314731483149315031513152315331543155315631573158315931603161316231633164316531663167316831693170317131723173317431753176317731783179318031813182318331843185318631873188318931903191319231933194319531963197319831993200320132023203320432053206320732083209321032113212321332143215321632173218321932203221322232233224322532263227322832293230323132323233323432353236323732383239324032413242324332443245324632473248324932503251325232533254325532563257325832593260326132623263326432653266326732683269327032713272327332743275327632773278327932803281328232833284328532863287328832893290329132923293329432953296329732983299330033013302330333043305330633073308330933103311331233133314331533163317331833193320332133223323332433253326332733283329333033313332333333343335333633373338333933403341334233433344334533463347334833493350335133523353335433553356335733583359336033613362336333643365336633673368336933703371337233733374337533763377337833793380338133823383338433853386338733883389339033913392339333943395339633973398339934003401340234033404340534063407340834093410341134123413341434153416341734183419342034213422342334243425342634273428342934303431343234333434343534363437343834393440344134423443344434453446344734483449345034513452345334543455345634573458345934603461346234633464346534663467346834693470347134723473347434753476347734783479348034813482348334843485348634873488348934903491349234933494349534963497349834993500350135023503350435053506350735083509351035113512351335143515351635173518351935203521352235233524352535263527352835293530353135323533353435353536353735383539354035413542354335443545354635473548354935503551355235533554355535563557355835593560356135623563356435653566356735683569357035713572357335743575357635773578357935803581358235833584358535863587358835893590359135923593359435953596359735983599360036013602360336043605360636073608360936103611361236133614361536163617361836193620362136223623362436253626362736283629363036313632363336343635363636373638363936403641364236433644364536463647364836493650365136523653365436553656365736583659366036613662366336643665366636673668366936703671367236733674367536763677367836793680368136823683368436853686368736883689369036913692369336943695369636973698369937003701370237033704370537063707370837093710371137123713371437153716371737183719372037213722372337243725372637273728372937303731373237333734373537363737373837393740374137423743374437453746374737483749375037513752375337543755375637573758375937603761376237633764376537663767376837693770377137723773377437753776377737783779378037813782378337843785378637873788378937903791379237933794379537963797379837993800380138023803380438053806380738083809381038113812381338143815381638173818381938203821382238233824382538263827382838293830383138323833383438353836383738383839384038413842384338443845384638473848384938503851385238533854385538563857385838593860386138623863386438653866386738683869387038713872387338743875387638773878387938803881388238833884388538863887388838893890389138923893389438953896389738983899390039013902390339043905390639073908390939103911391239133914391539163917391839193920392139223923392439253926392739283929393039313932393339343935393639373938393939403941394239433944394539463947394839493950395139523953395439553956395739583959396039613962396339643965396639673968396939703971397239733974397539763977397839793980398139823983398439853986398739883989399039913992399339943995399639973998399940004001400240034004400540064007400840094010401140124013401440154016401740184019402040214022402340244025402640274028402940304031403240334034403540364037403840394040404140424043404440454046404740484049405040514052405340544055405640574058405940604061406240634064406540664067406840694070407140724073407440754076407740784079408040814082408340844085408640874088408940904091409240934094409540964097409840994100410141024103410441054106410741084109411041114112411341144115411641174118411941204121412241234124412541264127412841294130413141324133413441354136413741384139414041414142414341444145414641474148414941504151415241534154415541564157415841594160416141624163416441654166416741684169417041714172417341744175417641774178417941804181418241834184418541864187418841894190419141924193419441954196419741984199420042014202420342044205420642074208420942104211421242134214421542164217421842194220422142224223422442254226422742284229423042314232423342344235423642374238423942404241424242434244424542464247424842494250425142524253425442554256425742584259426042614262426342644265426642674268426942704271427242734274427542764277427842794280428142824283428442854286428742884289429042914292429342944295429642974298429943004301430243034304430543064307430843094310431143124313431443154316431743184319432043214322432343244325432643274328432943304331433243334334433543364337433843394340434143424343434443454346434743484349435043514352435343544355435643574358435943604361436243634364436543664367436843694370437143724373437443754376437743784379438043814382438343844385438643874388438943904391439243934394439543964397439843994400440144024403440444054406440744084409441044114412441344144415
  1. # Copyright 2022 The cert-manager Authors.
  2. #
  3. # Licensed under the Apache License, Version 2.0 (the "License");
  4. # you may not use this file except in compliance with the License.
  5. # You may obtain a copy of the License at
  6. #
  7. # http://www.apache.org/licenses/LICENSE-2.0
  8. #
  9. # Unless required by applicable law or agreed to in writing, software
  10. # distributed under the License is distributed on an "AS IS" BASIS,
  11. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12. # See the License for the specific language governing permissions and
  13. # limitations under the License.
  14. # Source: cert-manager/templates/crds.yaml
  15. apiVersion: apiextensions.k8s.io/v1
  16. kind: CustomResourceDefinition
  17. metadata:
  18. name: clusterissuers.cert-manager.io
  19. labels:
  20. app: 'cert-manager'
  21. app.kubernetes.io/name: 'cert-manager'
  22. app.kubernetes.io/instance: 'cert-manager'
  23. # Generated labels
  24. app.kubernetes.io/version: "v1.10.1"
  25. spec:
  26. group: cert-manager.io
  27. names:
  28. kind: ClusterIssuer
  29. listKind: ClusterIssuerList
  30. plural: clusterissuers
  31. singular: clusterissuer
  32. categories:
  33. - cert-manager
  34. scope: Cluster
  35. versions:
  36. - name: v1
  37. subresources:
  38. status: {}
  39. additionalPrinterColumns:
  40. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  41. name: Ready
  42. type: string
  43. - jsonPath: .status.conditions[?(@.type=="Ready")].message
  44. name: Status
  45. priority: 1
  46. type: string
  47. - jsonPath: .metadata.creationTimestamp
  48. description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
  49. name: Age
  50. type: date
  51. schema:
  52. openAPIV3Schema:
  53. description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent.
  54. type: object
  55. required:
  56. - spec
  57. properties:
  58. apiVersion:
  59. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  60. type: string
  61. kind:
  62. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  63. type: string
  64. metadata:
  65. type: object
  66. spec:
  67. description: Desired state of the ClusterIssuer resource.
  68. type: object
  69. properties:
  70. acme:
  71. description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
  72. type: object
  73. required:
  74. - privateKeySecretRef
  75. - server
  76. properties:
  77. disableAccountKeyGeneration:
  78. description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
  79. type: boolean
  80. email:
  81. description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
  82. type: string
  83. enableDurationFeature:
  84. description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
  85. type: boolean
  86. externalAccountBinding:
  87. description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
  88. type: object
  89. required:
  90. - keyID
  91. - keySecretRef
  92. properties:
  93. keyAlgorithm:
  94. description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
  95. type: string
  96. enum:
  97. - HS256
  98. - HS384
  99. - HS512
  100. keyID:
  101. description: keyID is the ID of the CA key that the External Account is bound to.
  102. type: string
  103. keySecretRef:
  104. description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
  105. type: object
  106. required:
  107. - name
  108. properties:
  109. key:
  110. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  111. type: string
  112. name:
  113. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  114. type: string
  115. preferredChain:
  116. description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
  117. type: string
  118. maxLength: 64
  119. privateKeySecretRef:
  120. description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
  121. type: object
  122. required:
  123. - name
  124. properties:
  125. key:
  126. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  127. type: string
  128. name:
  129. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  130. type: string
  131. server:
  132. description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
  133. type: string
  134. skipTLSVerify:
  135. description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
  136. type: boolean
  137. solvers:
  138. description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
  139. type: array
  140. items:
  141. description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided.
  142. type: object
  143. properties:
  144. dns01:
  145. description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
  146. type: object
  147. properties:
  148. acmeDNS:
  149. description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
  150. type: object
  151. required:
  152. - accountSecretRef
  153. - host
  154. properties:
  155. accountSecretRef:
  156. description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
  157. type: object
  158. required:
  159. - name
  160. properties:
  161. key:
  162. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  163. type: string
  164. name:
  165. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  166. type: string
  167. host:
  168. type: string
  169. akamai:
  170. description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
  171. type: object
  172. required:
  173. - accessTokenSecretRef
  174. - clientSecretSecretRef
  175. - clientTokenSecretRef
  176. - serviceConsumerDomain
  177. properties:
  178. accessTokenSecretRef:
  179. description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
  180. type: object
  181. required:
  182. - name
  183. properties:
  184. key:
  185. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  186. type: string
  187. name:
  188. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  189. type: string
  190. clientSecretSecretRef:
  191. description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
  192. type: object
  193. required:
  194. - name
  195. properties:
  196. key:
  197. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  198. type: string
  199. name:
  200. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  201. type: string
  202. clientTokenSecretRef:
  203. description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
  204. type: object
  205. required:
  206. - name
  207. properties:
  208. key:
  209. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  210. type: string
  211. name:
  212. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  213. type: string
  214. serviceConsumerDomain:
  215. type: string
  216. azureDNS:
  217. description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
  218. type: object
  219. required:
  220. - resourceGroupName
  221. - subscriptionID
  222. properties:
  223. clientID:
  224. description: if both this and ClientSecret are left unset MSI will be used
  225. type: string
  226. clientSecretSecretRef:
  227. description: if both this and ClientID are left unset MSI will be used
  228. type: object
  229. required:
  230. - name
  231. properties:
  232. key:
  233. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  234. type: string
  235. name:
  236. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  237. type: string
  238. environment:
  239. description: name of the Azure environment (default AzurePublicCloud)
  240. type: string
  241. enum:
  242. - AzurePublicCloud
  243. - AzureChinaCloud
  244. - AzureGermanCloud
  245. - AzureUSGovernmentCloud
  246. hostedZoneName:
  247. description: name of the DNS zone that should be used
  248. type: string
  249. managedIdentity:
  250. description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID
  251. type: object
  252. properties:
  253. clientID:
  254. description: client ID of the managed identity, can not be used at the same time as resourceID
  255. type: string
  256. resourceID:
  257. description: resource ID of the managed identity, can not be used at the same time as clientID
  258. type: string
  259. resourceGroupName:
  260. description: resource group the DNS zone is located in
  261. type: string
  262. subscriptionID:
  263. description: ID of the Azure subscription
  264. type: string
  265. tenantID:
  266. description: when specifying ClientID and ClientSecret then this field is also needed
  267. type: string
  268. cloudDNS:
  269. description: Use the Google Cloud DNS API to manage DNS01 challenge records.
  270. type: object
  271. required:
  272. - project
  273. properties:
  274. hostedZoneName:
  275. description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
  276. type: string
  277. project:
  278. type: string
  279. serviceAccountSecretRef:
  280. description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
  281. type: object
  282. required:
  283. - name
  284. properties:
  285. key:
  286. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  287. type: string
  288. name:
  289. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  290. type: string
  291. cloudflare:
  292. description: Use the Cloudflare API to manage DNS01 challenge records.
  293. type: object
  294. properties:
  295. apiKeySecretRef:
  296. description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
  297. type: object
  298. required:
  299. - name
  300. properties:
  301. key:
  302. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  303. type: string
  304. name:
  305. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  306. type: string
  307. apiTokenSecretRef:
  308. description: API token used to authenticate with Cloudflare.
  309. type: object
  310. required:
  311. - name
  312. properties:
  313. key:
  314. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  315. type: string
  316. name:
  317. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  318. type: string
  319. email:
  320. description: Email of the account, only required when using API key based authentication.
  321. type: string
  322. cnameStrategy:
  323. description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
  324. type: string
  325. enum:
  326. - None
  327. - Follow
  328. digitalocean:
  329. description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
  330. type: object
  331. required:
  332. - tokenSecretRef
  333. properties:
  334. tokenSecretRef:
  335. description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
  336. type: object
  337. required:
  338. - name
  339. properties:
  340. key:
  341. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  342. type: string
  343. name:
  344. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  345. type: string
  346. rfc2136:
  347. description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
  348. type: object
  349. required:
  350. - nameserver
  351. properties:
  352. nameserver:
  353. description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
  354. type: string
  355. tsigAlgorithm:
  356. description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
  357. type: string
  358. tsigKeyName:
  359. description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
  360. type: string
  361. tsigSecretSecretRef:
  362. description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
  363. type: object
  364. required:
  365. - name
  366. properties:
  367. key:
  368. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  369. type: string
  370. name:
  371. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  372. type: string
  373. route53:
  374. description: Use the AWS Route53 API to manage DNS01 challenge records.
  375. type: object
  376. required:
  377. - region
  378. properties:
  379. accessKeyID:
  380. description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  381. type: string
  382. accessKeyIDSecretRef:
  383. description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  384. type: object
  385. required:
  386. - name
  387. properties:
  388. key:
  389. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  390. type: string
  391. name:
  392. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  393. type: string
  394. hostedZoneID:
  395. description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
  396. type: string
  397. region:
  398. description: Always set the region when using AccessKeyID and SecretAccessKey
  399. type: string
  400. role:
  401. description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
  402. type: string
  403. secretAccessKeySecretRef:
  404. description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  405. type: object
  406. required:
  407. - name
  408. properties:
  409. key:
  410. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  411. type: string
  412. name:
  413. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  414. type: string
  415. webhook:
  416. description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
  417. type: object
  418. required:
  419. - groupName
  420. - solverName
  421. properties:
  422. config:
  423. description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
  424. x-kubernetes-preserve-unknown-fields: true
  425. groupName:
  426. description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
  427. type: string
  428. solverName:
  429. description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
  430. type: string
  431. http01:
  432. description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
  433. type: object
  434. properties:
  435. gatewayHTTPRoute:
  436. description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
  437. type: object
  438. properties:
  439. labels:
  440. description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges.
  441. type: object
  442. additionalProperties:
  443. type: string
  444. parentRefs:
  445. description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways'
  446. type: array
  447. items:
  448. description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid."
  449. type: object
  450. required:
  451. - name
  452. properties:
  453. group:
  454. description: "Group is the group of the referent. \n Support: Core"
  455. type: string
  456. default: gateway.networking.k8s.io
  457. maxLength: 253
  458. pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  459. kind:
  460. description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Custom (Other Resources)"
  461. type: string
  462. default: Gateway
  463. maxLength: 63
  464. minLength: 1
  465. pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
  466. name:
  467. description: "Name is the name of the referent. \n Support: Core"
  468. type: string
  469. maxLength: 253
  470. minLength: 1
  471. namespace:
  472. description: "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core"
  473. type: string
  474. maxLength: 63
  475. minLength: 1
  476. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  477. port:
  478. description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n <gateway:experimental>"
  479. type: integer
  480. format: int32
  481. maximum: 65535
  482. minimum: 1
  483. sectionName:
  484. description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core"
  485. type: string
  486. maxLength: 253
  487. minLength: 1
  488. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  489. serviceType:
  490. description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
  491. type: string
  492. ingress:
  493. description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
  494. type: object
  495. properties:
  496. class:
  497. description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
  498. type: string
  499. ingressTemplate:
  500. description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
  501. type: object
  502. properties:
  503. metadata:
  504. description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
  505. type: object
  506. properties:
  507. annotations:
  508. description: Annotations that should be added to the created ACME HTTP01 solver ingress.
  509. type: object
  510. additionalProperties:
  511. type: string
  512. labels:
  513. description: Labels that should be added to the created ACME HTTP01 solver ingress.
  514. type: object
  515. additionalProperties:
  516. type: string
  517. name:
  518. description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
  519. type: string
  520. podTemplate:
  521. description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
  522. type: object
  523. properties:
  524. metadata:
  525. description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
  526. type: object
  527. properties:
  528. annotations:
  529. description: Annotations that should be added to the create ACME HTTP01 solver pods.
  530. type: object
  531. additionalProperties:
  532. type: string
  533. labels:
  534. description: Labels that should be added to the created ACME HTTP01 solver pods.
  535. type: object
  536. additionalProperties:
  537. type: string
  538. spec:
  539. description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
  540. type: object
  541. properties:
  542. affinity:
  543. description: If specified, the pod's scheduling constraints
  544. type: object
  545. properties:
  546. nodeAffinity:
  547. description: Describes node affinity scheduling rules for the pod.
  548. type: object
  549. properties:
  550. preferredDuringSchedulingIgnoredDuringExecution:
  551. description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
  552. type: array
  553. items:
  554. description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
  555. type: object
  556. required:
  557. - preference
  558. - weight
  559. properties:
  560. preference:
  561. description: A node selector term, associated with the corresponding weight.
  562. type: object
  563. properties:
  564. matchExpressions:
  565. description: A list of node selector requirements by node's labels.
  566. type: array
  567. items:
  568. description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  569. type: object
  570. required:
  571. - key
  572. - operator
  573. properties:
  574. key:
  575. description: The label key that the selector applies to.
  576. type: string
  577. operator:
  578. description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
  579. type: string
  580. values:
  581. description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
  582. type: array
  583. items:
  584. type: string
  585. matchFields:
  586. description: A list of node selector requirements by node's fields.
  587. type: array
  588. items:
  589. description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  590. type: object
  591. required:
  592. - key
  593. - operator
  594. properties:
  595. key:
  596. description: The label key that the selector applies to.
  597. type: string
  598. operator:
  599. description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
  600. type: string
  601. values:
  602. description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
  603. type: array
  604. items:
  605. type: string
  606. x-kubernetes-map-type: atomic
  607. weight:
  608. description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
  609. type: integer
  610. format: int32
  611. requiredDuringSchedulingIgnoredDuringExecution:
  612. description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
  613. type: object
  614. required:
  615. - nodeSelectorTerms
  616. properties:
  617. nodeSelectorTerms:
  618. description: Required. A list of node selector terms. The terms are ORed.
  619. type: array
  620. items:
  621. description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
  622. type: object
  623. properties:
  624. matchExpressions:
  625. description: A list of node selector requirements by node's labels.
  626. type: array
  627. items:
  628. description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  629. type: object
  630. required:
  631. - key
  632. - operator
  633. properties:
  634. key:
  635. description: The label key that the selector applies to.
  636. type: string
  637. operator:
  638. description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
  639. type: string
  640. values:
  641. description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
  642. type: array
  643. items:
  644. type: string
  645. matchFields:
  646. description: A list of node selector requirements by node's fields.
  647. type: array
  648. items:
  649. description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  650. type: object
  651. required:
  652. - key
  653. - operator
  654. properties:
  655. key:
  656. description: The label key that the selector applies to.
  657. type: string
  658. operator:
  659. description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
  660. type: string
  661. values:
  662. description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
  663. type: array
  664. items:
  665. type: string
  666. x-kubernetes-map-type: atomic
  667. x-kubernetes-map-type: atomic
  668. podAffinity:
  669. description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
  670. type: object
  671. properties:
  672. preferredDuringSchedulingIgnoredDuringExecution:
  673. description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
  674. type: array
  675. items:
  676. description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
  677. type: object
  678. required:
  679. - podAffinityTerm
  680. - weight
  681. properties:
  682. podAffinityTerm:
  683. description: Required. A pod affinity term, associated with the corresponding weight.
  684. type: object
  685. required:
  686. - topologyKey
  687. properties:
  688. labelSelector:
  689. description: A label query over a set of resources, in this case pods.
  690. type: object
  691. properties:
  692. matchExpressions:
  693. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  694. type: array
  695. items:
  696. description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  697. type: object
  698. required:
  699. - key
  700. - operator
  701. properties:
  702. key:
  703. description: key is the label key that the selector applies to.
  704. type: string
  705. operator:
  706. description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
  707. type: string
  708. values:
  709. description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
  710. type: array
  711. items:
  712. type: string
  713. matchLabels:
  714. description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
  715. type: object
  716. additionalProperties:
  717. type: string
  718. x-kubernetes-map-type: atomic
  719. namespaceSelector:
  720. description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
  721. type: object
  722. properties:
  723. matchExpressions:
  724. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  725. type: array
  726. items:
  727. description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  728. type: object
  729. required:
  730. - key
  731. - operator
  732. properties:
  733. key:
  734. description: key is the label key that the selector applies to.
  735. type: string
  736. operator:
  737. description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
  738. type: string
  739. values:
  740. description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
  741. type: array
  742. items:
  743. type: string
  744. matchLabels:
  745. description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
  746. type: object
  747. additionalProperties:
  748. type: string
  749. x-kubernetes-map-type: atomic
  750. namespaces:
  751. description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
  752. type: array
  753. items:
  754. type: string
  755. topologyKey:
  756. description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
  757. type: string
  758. weight:
  759. description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
  760. type: integer
  761. format: int32
  762. requiredDuringSchedulingIgnoredDuringExecution:
  763. description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
  764. type: array
  765. items:
  766. description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
  767. type: object
  768. required:
  769. - topologyKey
  770. properties:
  771. labelSelector:
  772. description: A label query over a set of resources, in this case pods.
  773. type: object
  774. properties:
  775. matchExpressions:
  776. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  777. type: array
  778. items:
  779. description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  780. type: object
  781. required:
  782. - key
  783. - operator
  784. properties:
  785. key:
  786. description: key is the label key that the selector applies to.
  787. type: string
  788. operator:
  789. description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
  790. type: string
  791. values:
  792. description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
  793. type: array
  794. items:
  795. type: string
  796. matchLabels:
  797. description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
  798. type: object
  799. additionalProperties:
  800. type: string
  801. x-kubernetes-map-type: atomic
  802. namespaceSelector:
  803. description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
  804. type: object
  805. properties:
  806. matchExpressions:
  807. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  808. type: array
  809. items:
  810. description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  811. type: object
  812. required:
  813. - key
  814. - operator
  815. properties:
  816. key:
  817. description: key is the label key that the selector applies to.
  818. type: string
  819. operator:
  820. description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
  821. type: string
  822. values:
  823. description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
  824. type: array
  825. items:
  826. type: string
  827. matchLabels:
  828. description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
  829. type: object
  830. additionalProperties:
  831. type: string
  832. x-kubernetes-map-type: atomic
  833. namespaces:
  834. description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
  835. type: array
  836. items:
  837. type: string
  838. topologyKey:
  839. description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
  840. type: string
  841. podAntiAffinity:
  842. description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
  843. type: object
  844. properties:
  845. preferredDuringSchedulingIgnoredDuringExecution:
  846. description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
  847. type: array
  848. items:
  849. description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
  850. type: object
  851. required:
  852. - podAffinityTerm
  853. - weight
  854. properties:
  855. podAffinityTerm:
  856. description: Required. A pod affinity term, associated with the corresponding weight.
  857. type: object
  858. required:
  859. - topologyKey
  860. properties:
  861. labelSelector:
  862. description: A label query over a set of resources, in this case pods.
  863. type: object
  864. properties:
  865. matchExpressions:
  866. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  867. type: array
  868. items:
  869. description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  870. type: object
  871. required:
  872. - key
  873. - operator
  874. properties:
  875. key:
  876. description: key is the label key that the selector applies to.
  877. type: string
  878. operator:
  879. description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
  880. type: string
  881. values:
  882. description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
  883. type: array
  884. items:
  885. type: string
  886. matchLabels:
  887. description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
  888. type: object
  889. additionalProperties:
  890. type: string
  891. x-kubernetes-map-type: atomic
  892. namespaceSelector:
  893. description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
  894. type: object
  895. properties:
  896. matchExpressions:
  897. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  898. type: array
  899. items:
  900. description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  901. type: object
  902. required:
  903. - key
  904. - operator
  905. properties:
  906. key:
  907. description: key is the label key that the selector applies to.
  908. type: string
  909. operator:
  910. description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
  911. type: string
  912. values:
  913. description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
  914. type: array
  915. items:
  916. type: string
  917. matchLabels:
  918. description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
  919. type: object
  920. additionalProperties:
  921. type: string
  922. x-kubernetes-map-type: atomic
  923. namespaces:
  924. description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
  925. type: array
  926. items:
  927. type: string
  928. topologyKey:
  929. description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
  930. type: string
  931. weight:
  932. description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
  933. type: integer
  934. format: int32
  935. requiredDuringSchedulingIgnoredDuringExecution:
  936. description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
  937. type: array
  938. items:
  939. description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
  940. type: object
  941. required:
  942. - topologyKey
  943. properties:
  944. labelSelector:
  945. description: A label query over a set of resources, in this case pods.
  946. type: object
  947. properties:
  948. matchExpressions:
  949. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  950. type: array
  951. items:
  952. description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  953. type: object
  954. required:
  955. - key
  956. - operator
  957. properties:
  958. key:
  959. description: key is the label key that the selector applies to.
  960. type: string
  961. operator:
  962. description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
  963. type: string
  964. values:
  965. description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
  966. type: array
  967. items:
  968. type: string
  969. matchLabels:
  970. description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
  971. type: object
  972. additionalProperties:
  973. type: string
  974. x-kubernetes-map-type: atomic
  975. namespaceSelector:
  976. description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
  977. type: object
  978. properties:
  979. matchExpressions:
  980. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  981. type: array
  982. items:
  983. description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  984. type: object
  985. required:
  986. - key
  987. - operator
  988. properties:
  989. key:
  990. description: key is the label key that the selector applies to.
  991. type: string
  992. operator:
  993. description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
  994. type: string
  995. values:
  996. description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
  997. type: array
  998. items:
  999. type: string
  1000. matchLabels:
  1001. description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
  1002. type: object
  1003. additionalProperties:
  1004. type: string
  1005. x-kubernetes-map-type: atomic
  1006. namespaces:
  1007. description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
  1008. type: array
  1009. items:
  1010. type: string
  1011. topologyKey:
  1012. description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
  1013. type: string
  1014. nodeSelector:
  1015. description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
  1016. type: object
  1017. additionalProperties:
  1018. type: string
  1019. priorityClassName:
  1020. description: If specified, the pod's priorityClassName.
  1021. type: string
  1022. serviceAccountName:
  1023. description: If specified, the pod's service account
  1024. type: string
  1025. tolerations:
  1026. description: If specified, the pod's tolerations.
  1027. type: array
  1028. items:
  1029. description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
  1030. type: object
  1031. properties:
  1032. effect:
  1033. description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
  1034. type: string
  1035. key:
  1036. description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
  1037. type: string
  1038. operator:
  1039. description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
  1040. type: string
  1041. tolerationSeconds:
  1042. description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
  1043. type: integer
  1044. format: int64
  1045. value:
  1046. description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
  1047. type: string
  1048. serviceType:
  1049. description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
  1050. type: string
  1051. selector:
  1052. description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
  1053. type: object
  1054. properties:
  1055. dnsNames:
  1056. description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
  1057. type: array
  1058. items:
  1059. type: string
  1060. dnsZones:
  1061. description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
  1062. type: array
  1063. items:
  1064. type: string
  1065. matchLabels:
  1066. description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
  1067. type: object
  1068. additionalProperties:
  1069. type: string
  1070. ca:
  1071. description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
  1072. type: object
  1073. required:
  1074. - secretName
  1075. properties:
  1076. crlDistributionPoints:
  1077. description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
  1078. type: array
  1079. items:
  1080. type: string
  1081. ocspServers:
  1082. description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
  1083. type: array
  1084. items:
  1085. type: string
  1086. secretName:
  1087. description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
  1088. type: string
  1089. selfSigned:
  1090. description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
  1091. type: object
  1092. properties:
  1093. crlDistributionPoints:
  1094. description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
  1095. type: array
  1096. items:
  1097. type: string
  1098. vault:
  1099. description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
  1100. type: object
  1101. required:
  1102. - auth
  1103. - path
  1104. - server
  1105. properties:
  1106. auth:
  1107. description: Auth configures how cert-manager authenticates with the Vault server.
  1108. type: object
  1109. properties:
  1110. appRole:
  1111. description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
  1112. type: object
  1113. required:
  1114. - path
  1115. - roleId
  1116. - secretRef
  1117. properties:
  1118. path:
  1119. description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
  1120. type: string
  1121. roleId:
  1122. description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
  1123. type: string
  1124. secretRef:
  1125. description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
  1126. type: object
  1127. required:
  1128. - name
  1129. properties:
  1130. key:
  1131. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1132. type: string
  1133. name:
  1134. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  1135. type: string
  1136. kubernetes:
  1137. description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
  1138. type: object
  1139. required:
  1140. - role
  1141. - secretRef
  1142. properties:
  1143. mountPath:
  1144. description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
  1145. type: string
  1146. role:
  1147. description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
  1148. type: string
  1149. secretRef:
  1150. description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
  1151. type: object
  1152. required:
  1153. - name
  1154. properties:
  1155. key:
  1156. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1157. type: string
  1158. name:
  1159. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  1160. type: string
  1161. tokenSecretRef:
  1162. description: TokenSecretRef authenticates with Vault by presenting a token.
  1163. type: object
  1164. required:
  1165. - name
  1166. properties:
  1167. key:
  1168. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1169. type: string
  1170. name:
  1171. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  1172. type: string
  1173. caBundle:
  1174. description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the cert-manager controller system root certificates are used to validate the TLS connection.
  1175. type: string
  1176. format: byte
  1177. caBundleSecretRef:
  1178. description: CABundleSecretRef is a reference to a Secret which contains the CABundle which will be used when connecting to Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundleSecretRef nor CABundle are defined, the cert-manager controller system root certificates are used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
  1179. type: object
  1180. required:
  1181. - name
  1182. properties:
  1183. key:
  1184. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1185. type: string
  1186. name:
  1187. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  1188. type: string
  1189. namespace:
  1190. description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
  1191. type: string
  1192. path:
  1193. description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
  1194. type: string
  1195. server:
  1196. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  1197. type: string
  1198. venafi:
  1199. description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
  1200. type: object
  1201. required:
  1202. - zone
  1203. properties:
  1204. cloud:
  1205. description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
  1206. type: object
  1207. required:
  1208. - apiTokenSecretRef
  1209. properties:
  1210. apiTokenSecretRef:
  1211. description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
  1212. type: object
  1213. required:
  1214. - name
  1215. properties:
  1216. key:
  1217. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1218. type: string
  1219. name:
  1220. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  1221. type: string
  1222. url:
  1223. description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
  1224. type: string
  1225. tpp:
  1226. description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
  1227. type: object
  1228. required:
  1229. - credentialsRef
  1230. - url
  1231. properties:
  1232. caBundle:
  1233. description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
  1234. type: string
  1235. format: byte
  1236. credentialsRef:
  1237. description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
  1238. type: object
  1239. required:
  1240. - name
  1241. properties:
  1242. name:
  1243. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  1244. type: string
  1245. url:
  1246. description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
  1247. type: string
  1248. zone:
  1249. description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
  1250. type: string
  1251. status:
  1252. description: Status of the ClusterIssuer. This is set and managed automatically.
  1253. type: object
  1254. properties:
  1255. acme:
  1256. description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
  1257. type: object
  1258. properties:
  1259. lastRegisteredEmail:
  1260. description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
  1261. type: string
  1262. uri:
  1263. description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
  1264. type: string
  1265. conditions:
  1266. description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
  1267. type: array
  1268. items:
  1269. description: IssuerCondition contains condition information for an Issuer.
  1270. type: object
  1271. required:
  1272. - status
  1273. - type
  1274. properties:
  1275. lastTransitionTime:
  1276. description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
  1277. type: string
  1278. format: date-time
  1279. message:
  1280. description: Message is a human readable description of the details of the last transition, complementing reason.
  1281. type: string
  1282. observedGeneration:
  1283. description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
  1284. type: integer
  1285. format: int64
  1286. reason:
  1287. description: Reason is a brief machine readable explanation for the condition's last transition.
  1288. type: string
  1289. status:
  1290. description: Status of the condition, one of (`True`, `False`, `Unknown`).
  1291. type: string
  1292. enum:
  1293. - "True"
  1294. - "False"
  1295. - Unknown
  1296. type:
  1297. description: Type of the condition, known values are (`Ready`).
  1298. type: string
  1299. x-kubernetes-list-map-keys:
  1300. - type
  1301. x-kubernetes-list-type: map
  1302. served: true
  1303. storage: true
  1304. ---
  1305. # Source: cert-manager/templates/crds.yaml
  1306. apiVersion: apiextensions.k8s.io/v1
  1307. kind: CustomResourceDefinition
  1308. metadata:
  1309. name: challenges.acme.cert-manager.io
  1310. labels:
  1311. app: 'cert-manager'
  1312. app.kubernetes.io/name: 'cert-manager'
  1313. app.kubernetes.io/instance: 'cert-manager'
  1314. # Generated labels
  1315. app.kubernetes.io/version: "v1.10.1"
  1316. spec:
  1317. group: acme.cert-manager.io
  1318. names:
  1319. kind: Challenge
  1320. listKind: ChallengeList
  1321. plural: challenges
  1322. singular: challenge
  1323. categories:
  1324. - cert-manager
  1325. - cert-manager-acme
  1326. scope: Namespaced
  1327. versions:
  1328. - additionalPrinterColumns:
  1329. - jsonPath: .status.state
  1330. name: State
  1331. type: string
  1332. - jsonPath: .spec.dnsName
  1333. name: Domain
  1334. type: string
  1335. - jsonPath: .status.reason
  1336. name: Reason
  1337. priority: 1
  1338. type: string
  1339. - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
  1340. jsonPath: .metadata.creationTimestamp
  1341. name: Age
  1342. type: date
  1343. name: v1
  1344. schema:
  1345. openAPIV3Schema:
  1346. description: Challenge is a type to represent a Challenge request with an ACME server
  1347. type: object
  1348. required:
  1349. - metadata
  1350. - spec
  1351. properties:
  1352. apiVersion:
  1353. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  1354. type: string
  1355. kind:
  1356. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  1357. type: string
  1358. metadata:
  1359. type: object
  1360. spec:
  1361. type: object
  1362. required:
  1363. - authorizationURL
  1364. - dnsName
  1365. - issuerRef
  1366. - key
  1367. - solver
  1368. - token
  1369. - type
  1370. - url
  1371. properties:
  1372. authorizationURL:
  1373. description: The URL to the ACME Authorization resource that this challenge is a part of.
  1374. type: string
  1375. dnsName:
  1376. description: dnsName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
  1377. type: string
  1378. issuerRef:
  1379. description: References a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed.
  1380. type: object
  1381. required:
  1382. - name
  1383. properties:
  1384. group:
  1385. description: Group of the resource being referred to.
  1386. type: string
  1387. kind:
  1388. description: Kind of the resource being referred to.
  1389. type: string
  1390. name:
  1391. description: Name of the resource being referred to.
  1392. type: string
  1393. key:
  1394. description: 'The ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key from acme server for challenge>`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key from acme server for challenge>` text that must be set as the TXT record content.'
  1395. type: string
  1396. solver:
  1397. description: Contains the domain solving configuration that should be used to solve this challenge resource.
  1398. type: object
  1399. properties:
  1400. dns01:
  1401. description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
  1402. type: object
  1403. properties:
  1404. acmeDNS:
  1405. description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
  1406. type: object
  1407. required:
  1408. - accountSecretRef
  1409. - host
  1410. properties:
  1411. accountSecretRef:
  1412. description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
  1413. type: object
  1414. required:
  1415. - name
  1416. properties:
  1417. key:
  1418. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1419. type: string
  1420. name:
  1421. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  1422. type: string
  1423. host:
  1424. type: string
  1425. akamai:
  1426. description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
  1427. type: object
  1428. required:
  1429. - accessTokenSecretRef
  1430. - clientSecretSecretRef
  1431. - clientTokenSecretRef
  1432. - serviceConsumerDomain
  1433. properties:
  1434. accessTokenSecretRef:
  1435. description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
  1436. type: object
  1437. required:
  1438. - name
  1439. properties:
  1440. key:
  1441. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1442. type: string
  1443. name:
  1444. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  1445. type: string
  1446. clientSecretSecretRef:
  1447. description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
  1448. type: object
  1449. required:
  1450. - name
  1451. properties:
  1452. key:
  1453. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1454. type: string
  1455. name:
  1456. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  1457. type: string
  1458. clientTokenSecretRef:
  1459. description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
  1460. type: object
  1461. required:
  1462. - name
  1463. properties:
  1464. key:
  1465. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1466. type: string
  1467. name:
  1468. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  1469. type: string
  1470. serviceConsumerDomain:
  1471. type: string
  1472. azureDNS:
  1473. description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
  1474. type: object
  1475. required:
  1476. - resourceGroupName
  1477. - subscriptionID
  1478. properties:
  1479. clientID:
  1480. description: if both this and ClientSecret are left unset MSI will be used
  1481. type: string
  1482. clientSecretSecretRef:
  1483. description: if both this and ClientID are left unset MSI will be used
  1484. type: object
  1485. required:
  1486. - name
  1487. properties:
  1488. key:
  1489. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1490. type: string
  1491. name:
  1492. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  1493. type: string
  1494. environment:
  1495. description: name of the Azure environment (default AzurePublicCloud)
  1496. type: string
  1497. enum:
  1498. - AzurePublicCloud
  1499. - AzureChinaCloud
  1500. - AzureGermanCloud
  1501. - AzureUSGovernmentCloud
  1502. hostedZoneName:
  1503. description: name of the DNS zone that should be used
  1504. type: string
  1505. managedIdentity:
  1506. description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID
  1507. type: object
  1508. properties:
  1509. clientID:
  1510. description: client ID of the managed identity, can not be used at the same time as resourceID
  1511. type: string
  1512. resourceID:
  1513. description: resource ID of the managed identity, can not be used at the same time as clientID
  1514. type: string
  1515. resourceGroupName:
  1516. description: resource group the DNS zone is located in
  1517. type: string
  1518. subscriptionID:
  1519. description: ID of the Azure subscription
  1520. type: string
  1521. tenantID:
  1522. description: when specifying ClientID and ClientSecret then this field is also needed
  1523. type: string
  1524. cloudDNS:
  1525. description: Use the Google Cloud DNS API to manage DNS01 challenge records.
  1526. type: object
  1527. required:
  1528. - project
  1529. properties:
  1530. hostedZoneName:
  1531. description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
  1532. type: string
  1533. project:
  1534. type: string
  1535. serviceAccountSecretRef:
  1536. description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
  1537. type: object
  1538. required:
  1539. - name
  1540. properties:
  1541. key:
  1542. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1543. type: string
  1544. name:
  1545. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  1546. type: string
  1547. cloudflare:
  1548. description: Use the Cloudflare API to manage DNS01 challenge records.
  1549. type: object
  1550. properties:
  1551. apiKeySecretRef:
  1552. description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
  1553. type: object
  1554. required:
  1555. - name
  1556. properties:
  1557. key:
  1558. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1559. type: string
  1560. name:
  1561. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  1562. type: string
  1563. apiTokenSecretRef:
  1564. description: API token used to authenticate with Cloudflare.
  1565. type: object
  1566. required:
  1567. - name
  1568. properties:
  1569. key:
  1570. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1571. type: string
  1572. name:
  1573. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  1574. type: string
  1575. email:
  1576. description: Email of the account, only required when using API key based authentication.
  1577. type: string
  1578. cnameStrategy:
  1579. description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
  1580. type: string
  1581. enum:
  1582. - None
  1583. - Follow
  1584. digitalocean:
  1585. description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
  1586. type: object
  1587. required:
  1588. - tokenSecretRef
  1589. properties:
  1590. tokenSecretRef:
  1591. description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
  1592. type: object
  1593. required:
  1594. - name
  1595. properties:
  1596. key:
  1597. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1598. type: string
  1599. name:
  1600. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  1601. type: string
  1602. rfc2136:
  1603. description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
  1604. type: object
  1605. required:
  1606. - nameserver
  1607. properties:
  1608. nameserver:
  1609. description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
  1610. type: string
  1611. tsigAlgorithm:
  1612. description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
  1613. type: string
  1614. tsigKeyName:
  1615. description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
  1616. type: string
  1617. tsigSecretSecretRef:
  1618. description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
  1619. type: object
  1620. required:
  1621. - name
  1622. properties:
  1623. key:
  1624. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1625. type: string
  1626. name:
  1627. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  1628. type: string
  1629. route53:
  1630. description: Use the AWS Route53 API to manage DNS01 challenge records.
  1631. type: object
  1632. required:
  1633. - region
  1634. properties:
  1635. accessKeyID:
  1636. description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  1637. type: string
  1638. accessKeyIDSecretRef:
  1639. description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  1640. type: object
  1641. required:
  1642. - name
  1643. properties:
  1644. key:
  1645. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1646. type: string
  1647. name:
  1648. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  1649. type: string
  1650. hostedZoneID:
  1651. description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
  1652. type: string
  1653. region:
  1654. description: Always set the region when using AccessKeyID and SecretAccessKey
  1655. type: string
  1656. role:
  1657. description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
  1658. type: string
  1659. secretAccessKeySecretRef:
  1660. description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  1661. type: object
  1662. required:
  1663. - name
  1664. properties:
  1665. key:
  1666. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1667. type: string
  1668. name:
  1669. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  1670. type: string
  1671. webhook:
  1672. description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
  1673. type: object
  1674. required:
  1675. - groupName
  1676. - solverName
  1677. properties:
  1678. config:
  1679. description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
  1680. x-kubernetes-preserve-unknown-fields: true
  1681. groupName:
  1682. description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
  1683. type: string
  1684. solverName:
  1685. description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
  1686. type: string
  1687. http01:
  1688. description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
  1689. type: object
  1690. properties:
  1691. gatewayHTTPRoute:
  1692. description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
  1693. type: object
  1694. properties:
  1695. labels:
  1696. description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges.
  1697. type: object
  1698. additionalProperties:
  1699. type: string
  1700. parentRefs:
  1701. description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways'
  1702. type: array
  1703. items:
  1704. description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid."
  1705. type: object
  1706. required:
  1707. - name
  1708. properties:
  1709. group:
  1710. description: "Group is the group of the referent. \n Support: Core"
  1711. type: string
  1712. default: gateway.networking.k8s.io
  1713. maxLength: 253
  1714. pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1715. kind:
  1716. description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Custom (Other Resources)"
  1717. type: string
  1718. default: Gateway
  1719. maxLength: 63
  1720. minLength: 1
  1721. pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
  1722. name:
  1723. description: "Name is the name of the referent. \n Support: Core"
  1724. type: string
  1725. maxLength: 253
  1726. minLength: 1
  1727. namespace:
  1728. description: "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core"
  1729. type: string
  1730. maxLength: 63
  1731. minLength: 1
  1732. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1733. port:
  1734. description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n <gateway:experimental>"
  1735. type: integer
  1736. format: int32
  1737. maximum: 65535
  1738. minimum: 1
  1739. sectionName:
  1740. description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core"
  1741. type: string
  1742. maxLength: 253
  1743. minLength: 1
  1744. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1745. serviceType:
  1746. description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
  1747. type: string
  1748. ingress:
  1749. description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
  1750. type: object
  1751. properties:
  1752. class:
  1753. description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
  1754. type: string
  1755. ingressTemplate:
  1756. description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
  1757. type: object
  1758. properties:
  1759. metadata:
  1760. description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
  1761. type: object
  1762. properties:
  1763. annotations:
  1764. description: Annotations that should be added to the created ACME HTTP01 solver ingress.
  1765. type: object
  1766. additionalProperties:
  1767. type: string
  1768. labels:
  1769. description: Labels that should be added to the created ACME HTTP01 solver ingress.
  1770. type: object
  1771. additionalProperties:
  1772. type: string
  1773. name:
  1774. description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
  1775. type: string
  1776. podTemplate:
  1777. description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
  1778. type: object
  1779. properties:
  1780. metadata:
  1781. description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
  1782. type: object
  1783. properties:
  1784. annotations:
  1785. description: Annotations that should be added to the create ACME HTTP01 solver pods.
  1786. type: object
  1787. additionalProperties:
  1788. type: string
  1789. labels:
  1790. description: Labels that should be added to the created ACME HTTP01 solver pods.
  1791. type: object
  1792. additionalProperties:
  1793. type: string
  1794. spec:
  1795. description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
  1796. type: object
  1797. properties:
  1798. affinity:
  1799. description: If specified, the pod's scheduling constraints
  1800. type: object
  1801. properties:
  1802. nodeAffinity:
  1803. description: Describes node affinity scheduling rules for the pod.
  1804. type: object
  1805. properties:
  1806. preferredDuringSchedulingIgnoredDuringExecution:
  1807. description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
  1808. type: array
  1809. items:
  1810. description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
  1811. type: object
  1812. required:
  1813. - preference
  1814. - weight
  1815. properties:
  1816. preference:
  1817. description: A node selector term, associated with the corresponding weight.
  1818. type: object
  1819. properties:
  1820. matchExpressions:
  1821. description: A list of node selector requirements by node's labels.
  1822. type: array
  1823. items:
  1824. description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  1825. type: object
  1826. required:
  1827. - key
  1828. - operator
  1829. properties:
  1830. key:
  1831. description: The label key that the selector applies to.
  1832. type: string
  1833. operator:
  1834. description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
  1835. type: string
  1836. values:
  1837. description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
  1838. type: array
  1839. items:
  1840. type: string
  1841. matchFields:
  1842. description: A list of node selector requirements by node's fields.
  1843. type: array
  1844. items:
  1845. description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  1846. type: object
  1847. required:
  1848. - key
  1849. - operator
  1850. properties:
  1851. key:
  1852. description: The label key that the selector applies to.
  1853. type: string
  1854. operator:
  1855. description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
  1856. type: string
  1857. values:
  1858. description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
  1859. type: array
  1860. items:
  1861. type: string
  1862. x-kubernetes-map-type: atomic
  1863. weight:
  1864. description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
  1865. type: integer
  1866. format: int32
  1867. requiredDuringSchedulingIgnoredDuringExecution:
  1868. description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
  1869. type: object
  1870. required:
  1871. - nodeSelectorTerms
  1872. properties:
  1873. nodeSelectorTerms:
  1874. description: Required. A list of node selector terms. The terms are ORed.
  1875. type: array
  1876. items:
  1877. description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
  1878. type: object
  1879. properties:
  1880. matchExpressions:
  1881. description: A list of node selector requirements by node's labels.
  1882. type: array
  1883. items:
  1884. description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  1885. type: object
  1886. required:
  1887. - key
  1888. - operator
  1889. properties:
  1890. key:
  1891. description: The label key that the selector applies to.
  1892. type: string
  1893. operator:
  1894. description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
  1895. type: string
  1896. values:
  1897. description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
  1898. type: array
  1899. items:
  1900. type: string
  1901. matchFields:
  1902. description: A list of node selector requirements by node's fields.
  1903. type: array
  1904. items:
  1905. description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  1906. type: object
  1907. required:
  1908. - key
  1909. - operator
  1910. properties:
  1911. key:
  1912. description: The label key that the selector applies to.
  1913. type: string
  1914. operator:
  1915. description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
  1916. type: string
  1917. values:
  1918. description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
  1919. type: array
  1920. items:
  1921. type: string
  1922. x-kubernetes-map-type: atomic
  1923. x-kubernetes-map-type: atomic
  1924. podAffinity:
  1925. description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
  1926. type: object
  1927. properties:
  1928. preferredDuringSchedulingIgnoredDuringExecution:
  1929. description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
  1930. type: array
  1931. items:
  1932. description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
  1933. type: object
  1934. required:
  1935. - podAffinityTerm
  1936. - weight
  1937. properties:
  1938. podAffinityTerm:
  1939. description: Required. A pod affinity term, associated with the corresponding weight.
  1940. type: object
  1941. required:
  1942. - topologyKey
  1943. properties:
  1944. labelSelector:
  1945. description: A label query over a set of resources, in this case pods.
  1946. type: object
  1947. properties:
  1948. matchExpressions:
  1949. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1950. type: array
  1951. items:
  1952. description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  1953. type: object
  1954. required:
  1955. - key
  1956. - operator
  1957. properties:
  1958. key:
  1959. description: key is the label key that the selector applies to.
  1960. type: string
  1961. operator:
  1962. description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
  1963. type: string
  1964. values:
  1965. description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
  1966. type: array
  1967. items:
  1968. type: string
  1969. matchLabels:
  1970. description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
  1971. type: object
  1972. additionalProperties:
  1973. type: string
  1974. x-kubernetes-map-type: atomic
  1975. namespaceSelector:
  1976. description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
  1977. type: object
  1978. properties:
  1979. matchExpressions:
  1980. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1981. type: array
  1982. items:
  1983. description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  1984. type: object
  1985. required:
  1986. - key
  1987. - operator
  1988. properties:
  1989. key:
  1990. description: key is the label key that the selector applies to.
  1991. type: string
  1992. operator:
  1993. description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
  1994. type: string
  1995. values:
  1996. description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
  1997. type: array
  1998. items:
  1999. type: string
  2000. matchLabels:
  2001. description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
  2002. type: object
  2003. additionalProperties:
  2004. type: string
  2005. x-kubernetes-map-type: atomic
  2006. namespaces:
  2007. description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
  2008. type: array
  2009. items:
  2010. type: string
  2011. topologyKey:
  2012. description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
  2013. type: string
  2014. weight:
  2015. description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
  2016. type: integer
  2017. format: int32
  2018. requiredDuringSchedulingIgnoredDuringExecution:
  2019. description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
  2020. type: array
  2021. items:
  2022. description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
  2023. type: object
  2024. required:
  2025. - topologyKey
  2026. properties:
  2027. labelSelector:
  2028. description: A label query over a set of resources, in this case pods.
  2029. type: object
  2030. properties:
  2031. matchExpressions:
  2032. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  2033. type: array
  2034. items:
  2035. description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  2036. type: object
  2037. required:
  2038. - key
  2039. - operator
  2040. properties:
  2041. key:
  2042. description: key is the label key that the selector applies to.
  2043. type: string
  2044. operator:
  2045. description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
  2046. type: string
  2047. values:
  2048. description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
  2049. type: array
  2050. items:
  2051. type: string
  2052. matchLabels:
  2053. description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
  2054. type: object
  2055. additionalProperties:
  2056. type: string
  2057. x-kubernetes-map-type: atomic
  2058. namespaceSelector:
  2059. description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
  2060. type: object
  2061. properties:
  2062. matchExpressions:
  2063. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  2064. type: array
  2065. items:
  2066. description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  2067. type: object
  2068. required:
  2069. - key
  2070. - operator
  2071. properties:
  2072. key:
  2073. description: key is the label key that the selector applies to.
  2074. type: string
  2075. operator:
  2076. description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
  2077. type: string
  2078. values:
  2079. description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
  2080. type: array
  2081. items:
  2082. type: string
  2083. matchLabels:
  2084. description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
  2085. type: object
  2086. additionalProperties:
  2087. type: string
  2088. x-kubernetes-map-type: atomic
  2089. namespaces:
  2090. description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
  2091. type: array
  2092. items:
  2093. type: string
  2094. topologyKey:
  2095. description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
  2096. type: string
  2097. podAntiAffinity:
  2098. description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
  2099. type: object
  2100. properties:
  2101. preferredDuringSchedulingIgnoredDuringExecution:
  2102. description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
  2103. type: array
  2104. items:
  2105. description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
  2106. type: object
  2107. required:
  2108. - podAffinityTerm
  2109. - weight
  2110. properties:
  2111. podAffinityTerm:
  2112. description: Required. A pod affinity term, associated with the corresponding weight.
  2113. type: object
  2114. required:
  2115. - topologyKey
  2116. properties:
  2117. labelSelector:
  2118. description: A label query over a set of resources, in this case pods.
  2119. type: object
  2120. properties:
  2121. matchExpressions:
  2122. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  2123. type: array
  2124. items:
  2125. description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  2126. type: object
  2127. required:
  2128. - key
  2129. - operator
  2130. properties:
  2131. key:
  2132. description: key is the label key that the selector applies to.
  2133. type: string
  2134. operator:
  2135. description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
  2136. type: string
  2137. values:
  2138. description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
  2139. type: array
  2140. items:
  2141. type: string
  2142. matchLabels:
  2143. description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
  2144. type: object
  2145. additionalProperties:
  2146. type: string
  2147. x-kubernetes-map-type: atomic
  2148. namespaceSelector:
  2149. description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
  2150. type: object
  2151. properties:
  2152. matchExpressions:
  2153. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  2154. type: array
  2155. items:
  2156. description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  2157. type: object
  2158. required:
  2159. - key
  2160. - operator
  2161. properties:
  2162. key:
  2163. description: key is the label key that the selector applies to.
  2164. type: string
  2165. operator:
  2166. description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
  2167. type: string
  2168. values:
  2169. description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
  2170. type: array
  2171. items:
  2172. type: string
  2173. matchLabels:
  2174. description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
  2175. type: object
  2176. additionalProperties:
  2177. type: string
  2178. x-kubernetes-map-type: atomic
  2179. namespaces:
  2180. description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
  2181. type: array
  2182. items:
  2183. type: string
  2184. topologyKey:
  2185. description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
  2186. type: string
  2187. weight:
  2188. description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
  2189. type: integer
  2190. format: int32
  2191. requiredDuringSchedulingIgnoredDuringExecution:
  2192. description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
  2193. type: array
  2194. items:
  2195. description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
  2196. type: object
  2197. required:
  2198. - topologyKey
  2199. properties:
  2200. labelSelector:
  2201. description: A label query over a set of resources, in this case pods.
  2202. type: object
  2203. properties:
  2204. matchExpressions:
  2205. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  2206. type: array
  2207. items:
  2208. description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  2209. type: object
  2210. required:
  2211. - key
  2212. - operator
  2213. properties:
  2214. key:
  2215. description: key is the label key that the selector applies to.
  2216. type: string
  2217. operator:
  2218. description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
  2219. type: string
  2220. values:
  2221. description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
  2222. type: array
  2223. items:
  2224. type: string
  2225. matchLabels:
  2226. description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
  2227. type: object
  2228. additionalProperties:
  2229. type: string
  2230. x-kubernetes-map-type: atomic
  2231. namespaceSelector:
  2232. description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
  2233. type: object
  2234. properties:
  2235. matchExpressions:
  2236. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  2237. type: array
  2238. items:
  2239. description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  2240. type: object
  2241. required:
  2242. - key
  2243. - operator
  2244. properties:
  2245. key:
  2246. description: key is the label key that the selector applies to.
  2247. type: string
  2248. operator:
  2249. description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
  2250. type: string
  2251. values:
  2252. description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
  2253. type: array
  2254. items:
  2255. type: string
  2256. matchLabels:
  2257. description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
  2258. type: object
  2259. additionalProperties:
  2260. type: string
  2261. x-kubernetes-map-type: atomic
  2262. namespaces:
  2263. description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
  2264. type: array
  2265. items:
  2266. type: string
  2267. topologyKey:
  2268. description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
  2269. type: string
  2270. nodeSelector:
  2271. description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
  2272. type: object
  2273. additionalProperties:
  2274. type: string
  2275. priorityClassName:
  2276. description: If specified, the pod's priorityClassName.
  2277. type: string
  2278. serviceAccountName:
  2279. description: If specified, the pod's service account
  2280. type: string
  2281. tolerations:
  2282. description: If specified, the pod's tolerations.
  2283. type: array
  2284. items:
  2285. description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
  2286. type: object
  2287. properties:
  2288. effect:
  2289. description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
  2290. type: string
  2291. key:
  2292. description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
  2293. type: string
  2294. operator:
  2295. description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
  2296. type: string
  2297. tolerationSeconds:
  2298. description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
  2299. type: integer
  2300. format: int64
  2301. value:
  2302. description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
  2303. type: string
  2304. serviceType:
  2305. description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
  2306. type: string
  2307. selector:
  2308. description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
  2309. type: object
  2310. properties:
  2311. dnsNames:
  2312. description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
  2313. type: array
  2314. items:
  2315. type: string
  2316. dnsZones:
  2317. description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
  2318. type: array
  2319. items:
  2320. type: string
  2321. matchLabels:
  2322. description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
  2323. type: object
  2324. additionalProperties:
  2325. type: string
  2326. token:
  2327. description: The ACME challenge token for this challenge. This is the raw value returned from the ACME server.
  2328. type: string
  2329. type:
  2330. description: The type of ACME challenge this resource represents. One of "HTTP-01" or "DNS-01".
  2331. type: string
  2332. enum:
  2333. - HTTP-01
  2334. - DNS-01
  2335. url:
  2336. description: The URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge.
  2337. type: string
  2338. wildcard:
  2339. description: wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'.
  2340. type: boolean
  2341. status:
  2342. type: object
  2343. properties:
  2344. presented:
  2345. description: presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured).
  2346. type: boolean
  2347. processing:
  2348. description: Used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action.
  2349. type: boolean
  2350. reason:
  2351. description: Contains human readable information on why the Challenge is in the current state.
  2352. type: string
  2353. state:
  2354. description: Contains the current 'state' of the challenge. If not set, the state of the challenge is unknown.
  2355. type: string
  2356. enum:
  2357. - valid
  2358. - ready
  2359. - pending
  2360. - processing
  2361. - invalid
  2362. - expired
  2363. - errored
  2364. served: true
  2365. storage: true
  2366. subresources:
  2367. status: {}
  2368. ---
  2369. # Source: cert-manager/templates/crds.yaml
  2370. apiVersion: apiextensions.k8s.io/v1
  2371. kind: CustomResourceDefinition
  2372. metadata:
  2373. name: certificaterequests.cert-manager.io
  2374. labels:
  2375. app: 'cert-manager'
  2376. app.kubernetes.io/name: 'cert-manager'
  2377. app.kubernetes.io/instance: 'cert-manager'
  2378. # Generated labels
  2379. app.kubernetes.io/version: "v1.10.1"
  2380. spec:
  2381. group: cert-manager.io
  2382. names:
  2383. kind: CertificateRequest
  2384. listKind: CertificateRequestList
  2385. plural: certificaterequests
  2386. shortNames:
  2387. - cr
  2388. - crs
  2389. singular: certificaterequest
  2390. categories:
  2391. - cert-manager
  2392. scope: Namespaced
  2393. versions:
  2394. - name: v1
  2395. subresources:
  2396. status: {}
  2397. additionalPrinterColumns:
  2398. - jsonPath: .status.conditions[?(@.type=="Approved")].status
  2399. name: Approved
  2400. type: string
  2401. - jsonPath: .status.conditions[?(@.type=="Denied")].status
  2402. name: Denied
  2403. type: string
  2404. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  2405. name: Ready
  2406. type: string
  2407. - jsonPath: .spec.issuerRef.name
  2408. name: Issuer
  2409. type: string
  2410. - jsonPath: .spec.username
  2411. name: Requestor
  2412. type: string
  2413. - jsonPath: .status.conditions[?(@.type=="Ready")].message
  2414. name: Status
  2415. priority: 1
  2416. type: string
  2417. - jsonPath: .metadata.creationTimestamp
  2418. description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
  2419. name: Age
  2420. type: date
  2421. schema:
  2422. openAPIV3Schema:
  2423. description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used."
  2424. type: object
  2425. required:
  2426. - spec
  2427. properties:
  2428. apiVersion:
  2429. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  2430. type: string
  2431. kind:
  2432. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  2433. type: string
  2434. metadata:
  2435. type: object
  2436. spec:
  2437. description: Desired state of the CertificateRequest resource.
  2438. type: object
  2439. required:
  2440. - issuerRef
  2441. - request
  2442. properties:
  2443. duration:
  2444. description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types.
  2445. type: string
  2446. extra:
  2447. description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
  2448. type: object
  2449. additionalProperties:
  2450. type: array
  2451. items:
  2452. type: string
  2453. groups:
  2454. description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
  2455. type: array
  2456. items:
  2457. type: string
  2458. x-kubernetes-list-type: atomic
  2459. isCA:
  2460. description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`.
  2461. type: boolean
  2462. issuerRef:
  2463. description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty.
  2464. type: object
  2465. required:
  2466. - name
  2467. properties:
  2468. group:
  2469. description: Group of the resource being referred to.
  2470. type: string
  2471. kind:
  2472. description: Kind of the resource being referred to.
  2473. type: string
  2474. name:
  2475. description: Name of the resource being referred to.
  2476. type: string
  2477. request:
  2478. description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing.
  2479. type: string
  2480. format: byte
  2481. uid:
  2482. description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
  2483. type: string
  2484. usages:
  2485. description: Usages is the set of x509 usages that are requested for the certificate. If usages are set they SHOULD be encoded inside the CSR spec Defaults to `digital signature` and `key encipherment` if not specified.
  2486. type: array
  2487. items:
  2488. description: "KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 \n Valid KeyUsage values are as follows: \"signing\", \"digital signature\", \"content commitment\", \"key encipherment\", \"key agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", \"encipher only\", \"decipher only\", \"any\", \"server auth\", \"client auth\", \"code signing\", \"email protection\", \"s/mime\", \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\""
  2489. type: string
  2490. enum:
  2491. - signing
  2492. - digital signature
  2493. - content commitment
  2494. - key encipherment
  2495. - key agreement
  2496. - data encipherment
  2497. - cert sign
  2498. - crl sign
  2499. - encipher only
  2500. - decipher only
  2501. - any
  2502. - server auth
  2503. - client auth
  2504. - code signing
  2505. - email protection
  2506. - s/mime
  2507. - ipsec end system
  2508. - ipsec tunnel
  2509. - ipsec user
  2510. - timestamping
  2511. - ocsp signing
  2512. - microsoft sgc
  2513. - netscape sgc
  2514. username:
  2515. description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
  2516. type: string
  2517. status:
  2518. description: Status of the CertificateRequest. This is set and managed automatically.
  2519. type: object
  2520. properties:
  2521. ca:
  2522. description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.
  2523. type: string
  2524. format: byte
  2525. certificate:
  2526. description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.
  2527. type: string
  2528. format: byte
  2529. conditions:
  2530. description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
  2531. type: array
  2532. items:
  2533. description: CertificateRequestCondition contains condition information for a CertificateRequest.
  2534. type: object
  2535. required:
  2536. - status
  2537. - type
  2538. properties:
  2539. lastTransitionTime:
  2540. description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
  2541. type: string
  2542. format: date-time
  2543. message:
  2544. description: Message is a human readable description of the details of the last transition, complementing reason.
  2545. type: string
  2546. reason:
  2547. description: Reason is a brief machine readable explanation for the condition's last transition.
  2548. type: string
  2549. status:
  2550. description: Status of the condition, one of (`True`, `False`, `Unknown`).
  2551. type: string
  2552. enum:
  2553. - "True"
  2554. - "False"
  2555. - Unknown
  2556. type:
  2557. description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
  2558. type: string
  2559. x-kubernetes-list-map-keys:
  2560. - type
  2561. x-kubernetes-list-type: map
  2562. failureTime:
  2563. description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
  2564. type: string
  2565. format: date-time
  2566. served: true
  2567. storage: true
  2568. ---
  2569. # Source: cert-manager/templates/crds.yaml
  2570. apiVersion: apiextensions.k8s.io/v1
  2571. kind: CustomResourceDefinition
  2572. metadata:
  2573. name: issuers.cert-manager.io
  2574. labels:
  2575. app: 'cert-manager'
  2576. app.kubernetes.io/name: 'cert-manager'
  2577. app.kubernetes.io/instance: 'cert-manager'
  2578. # Generated labels
  2579. app.kubernetes.io/version: "v1.10.1"
  2580. spec:
  2581. group: cert-manager.io
  2582. names:
  2583. kind: Issuer
  2584. listKind: IssuerList
  2585. plural: issuers
  2586. singular: issuer
  2587. categories:
  2588. - cert-manager
  2589. scope: Namespaced
  2590. versions:
  2591. - name: v1
  2592. subresources:
  2593. status: {}
  2594. additionalPrinterColumns:
  2595. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  2596. name: Ready
  2597. type: string
  2598. - jsonPath: .status.conditions[?(@.type=="Ready")].message
  2599. name: Status
  2600. priority: 1
  2601. type: string
  2602. - jsonPath: .metadata.creationTimestamp
  2603. description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
  2604. name: Age
  2605. type: date
  2606. schema:
  2607. openAPIV3Schema:
  2608. description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace.
  2609. type: object
  2610. required:
  2611. - spec
  2612. properties:
  2613. apiVersion:
  2614. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  2615. type: string
  2616. kind:
  2617. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  2618. type: string
  2619. metadata:
  2620. type: object
  2621. spec:
  2622. description: Desired state of the Issuer resource.
  2623. type: object
  2624. properties:
  2625. acme:
  2626. description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
  2627. type: object
  2628. required:
  2629. - privateKeySecretRef
  2630. - server
  2631. properties:
  2632. disableAccountKeyGeneration:
  2633. description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
  2634. type: boolean
  2635. email:
  2636. description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
  2637. type: string
  2638. enableDurationFeature:
  2639. description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
  2640. type: boolean
  2641. externalAccountBinding:
  2642. description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
  2643. type: object
  2644. required:
  2645. - keyID
  2646. - keySecretRef
  2647. properties:
  2648. keyAlgorithm:
  2649. description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
  2650. type: string
  2651. enum:
  2652. - HS256
  2653. - HS384
  2654. - HS512
  2655. keyID:
  2656. description: keyID is the ID of the CA key that the External Account is bound to.
  2657. type: string
  2658. keySecretRef:
  2659. description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
  2660. type: object
  2661. required:
  2662. - name
  2663. properties:
  2664. key:
  2665. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2666. type: string
  2667. name:
  2668. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  2669. type: string
  2670. preferredChain:
  2671. description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
  2672. type: string
  2673. maxLength: 64
  2674. privateKeySecretRef:
  2675. description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
  2676. type: object
  2677. required:
  2678. - name
  2679. properties:
  2680. key:
  2681. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2682. type: string
  2683. name:
  2684. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  2685. type: string
  2686. server:
  2687. description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
  2688. type: string
  2689. skipTLSVerify:
  2690. description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
  2691. type: boolean
  2692. solvers:
  2693. description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
  2694. type: array
  2695. items:
  2696. description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided.
  2697. type: object
  2698. properties:
  2699. dns01:
  2700. description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
  2701. type: object
  2702. properties:
  2703. acmeDNS:
  2704. description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
  2705. type: object
  2706. required:
  2707. - accountSecretRef
  2708. - host
  2709. properties:
  2710. accountSecretRef:
  2711. description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
  2712. type: object
  2713. required:
  2714. - name
  2715. properties:
  2716. key:
  2717. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2718. type: string
  2719. name:
  2720. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  2721. type: string
  2722. host:
  2723. type: string
  2724. akamai:
  2725. description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
  2726. type: object
  2727. required:
  2728. - accessTokenSecretRef
  2729. - clientSecretSecretRef
  2730. - clientTokenSecretRef
  2731. - serviceConsumerDomain
  2732. properties:
  2733. accessTokenSecretRef:
  2734. description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
  2735. type: object
  2736. required:
  2737. - name
  2738. properties:
  2739. key:
  2740. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2741. type: string
  2742. name:
  2743. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  2744. type: string
  2745. clientSecretSecretRef:
  2746. description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
  2747. type: object
  2748. required:
  2749. - name
  2750. properties:
  2751. key:
  2752. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2753. type: string
  2754. name:
  2755. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  2756. type: string
  2757. clientTokenSecretRef:
  2758. description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
  2759. type: object
  2760. required:
  2761. - name
  2762. properties:
  2763. key:
  2764. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2765. type: string
  2766. name:
  2767. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  2768. type: string
  2769. serviceConsumerDomain:
  2770. type: string
  2771. azureDNS:
  2772. description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
  2773. type: object
  2774. required:
  2775. - resourceGroupName
  2776. - subscriptionID
  2777. properties:
  2778. clientID:
  2779. description: if both this and ClientSecret are left unset MSI will be used
  2780. type: string
  2781. clientSecretSecretRef:
  2782. description: if both this and ClientID are left unset MSI will be used
  2783. type: object
  2784. required:
  2785. - name
  2786. properties:
  2787. key:
  2788. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2789. type: string
  2790. name:
  2791. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  2792. type: string
  2793. environment:
  2794. description: name of the Azure environment (default AzurePublicCloud)
  2795. type: string
  2796. enum:
  2797. - AzurePublicCloud
  2798. - AzureChinaCloud
  2799. - AzureGermanCloud
  2800. - AzureUSGovernmentCloud
  2801. hostedZoneName:
  2802. description: name of the DNS zone that should be used
  2803. type: string
  2804. managedIdentity:
  2805. description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID
  2806. type: object
  2807. properties:
  2808. clientID:
  2809. description: client ID of the managed identity, can not be used at the same time as resourceID
  2810. type: string
  2811. resourceID:
  2812. description: resource ID of the managed identity, can not be used at the same time as clientID
  2813. type: string
  2814. resourceGroupName:
  2815. description: resource group the DNS zone is located in
  2816. type: string
  2817. subscriptionID:
  2818. description: ID of the Azure subscription
  2819. type: string
  2820. tenantID:
  2821. description: when specifying ClientID and ClientSecret then this field is also needed
  2822. type: string
  2823. cloudDNS:
  2824. description: Use the Google Cloud DNS API to manage DNS01 challenge records.
  2825. type: object
  2826. required:
  2827. - project
  2828. properties:
  2829. hostedZoneName:
  2830. description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
  2831. type: string
  2832. project:
  2833. type: string
  2834. serviceAccountSecretRef:
  2835. description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
  2836. type: object
  2837. required:
  2838. - name
  2839. properties:
  2840. key:
  2841. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2842. type: string
  2843. name:
  2844. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  2845. type: string
  2846. cloudflare:
  2847. description: Use the Cloudflare API to manage DNS01 challenge records.
  2848. type: object
  2849. properties:
  2850. apiKeySecretRef:
  2851. description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
  2852. type: object
  2853. required:
  2854. - name
  2855. properties:
  2856. key:
  2857. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2858. type: string
  2859. name:
  2860. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  2861. type: string
  2862. apiTokenSecretRef:
  2863. description: API token used to authenticate with Cloudflare.
  2864. type: object
  2865. required:
  2866. - name
  2867. properties:
  2868. key:
  2869. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2870. type: string
  2871. name:
  2872. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  2873. type: string
  2874. email:
  2875. description: Email of the account, only required when using API key based authentication.
  2876. type: string
  2877. cnameStrategy:
  2878. description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
  2879. type: string
  2880. enum:
  2881. - None
  2882. - Follow
  2883. digitalocean:
  2884. description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
  2885. type: object
  2886. required:
  2887. - tokenSecretRef
  2888. properties:
  2889. tokenSecretRef:
  2890. description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
  2891. type: object
  2892. required:
  2893. - name
  2894. properties:
  2895. key:
  2896. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2897. type: string
  2898. name:
  2899. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  2900. type: string
  2901. rfc2136:
  2902. description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
  2903. type: object
  2904. required:
  2905. - nameserver
  2906. properties:
  2907. nameserver:
  2908. description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
  2909. type: string
  2910. tsigAlgorithm:
  2911. description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
  2912. type: string
  2913. tsigKeyName:
  2914. description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
  2915. type: string
  2916. tsigSecretSecretRef:
  2917. description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
  2918. type: object
  2919. required:
  2920. - name
  2921. properties:
  2922. key:
  2923. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2924. type: string
  2925. name:
  2926. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  2927. type: string
  2928. route53:
  2929. description: Use the AWS Route53 API to manage DNS01 challenge records.
  2930. type: object
  2931. required:
  2932. - region
  2933. properties:
  2934. accessKeyID:
  2935. description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  2936. type: string
  2937. accessKeyIDSecretRef:
  2938. description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  2939. type: object
  2940. required:
  2941. - name
  2942. properties:
  2943. key:
  2944. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2945. type: string
  2946. name:
  2947. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  2948. type: string
  2949. hostedZoneID:
  2950. description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
  2951. type: string
  2952. region:
  2953. description: Always set the region when using AccessKeyID and SecretAccessKey
  2954. type: string
  2955. role:
  2956. description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
  2957. type: string
  2958. secretAccessKeySecretRef:
  2959. description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  2960. type: object
  2961. required:
  2962. - name
  2963. properties:
  2964. key:
  2965. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2966. type: string
  2967. name:
  2968. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  2969. type: string
  2970. webhook:
  2971. description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
  2972. type: object
  2973. required:
  2974. - groupName
  2975. - solverName
  2976. properties:
  2977. config:
  2978. description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
  2979. x-kubernetes-preserve-unknown-fields: true
  2980. groupName:
  2981. description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
  2982. type: string
  2983. solverName:
  2984. description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
  2985. type: string
  2986. http01:
  2987. description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
  2988. type: object
  2989. properties:
  2990. gatewayHTTPRoute:
  2991. description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
  2992. type: object
  2993. properties:
  2994. labels:
  2995. description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges.
  2996. type: object
  2997. additionalProperties:
  2998. type: string
  2999. parentRefs:
  3000. description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways'
  3001. type: array
  3002. items:
  3003. description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid."
  3004. type: object
  3005. required:
  3006. - name
  3007. properties:
  3008. group:
  3009. description: "Group is the group of the referent. \n Support: Core"
  3010. type: string
  3011. default: gateway.networking.k8s.io
  3012. maxLength: 253
  3013. pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3014. kind:
  3015. description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Custom (Other Resources)"
  3016. type: string
  3017. default: Gateway
  3018. maxLength: 63
  3019. minLength: 1
  3020. pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
  3021. name:
  3022. description: "Name is the name of the referent. \n Support: Core"
  3023. type: string
  3024. maxLength: 253
  3025. minLength: 1
  3026. namespace:
  3027. description: "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core"
  3028. type: string
  3029. maxLength: 63
  3030. minLength: 1
  3031. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3032. port:
  3033. description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n <gateway:experimental>"
  3034. type: integer
  3035. format: int32
  3036. maximum: 65535
  3037. minimum: 1
  3038. sectionName:
  3039. description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core"
  3040. type: string
  3041. maxLength: 253
  3042. minLength: 1
  3043. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3044. serviceType:
  3045. description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
  3046. type: string
  3047. ingress:
  3048. description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
  3049. type: object
  3050. properties:
  3051. class:
  3052. description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
  3053. type: string
  3054. ingressTemplate:
  3055. description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
  3056. type: object
  3057. properties:
  3058. metadata:
  3059. description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
  3060. type: object
  3061. properties:
  3062. annotations:
  3063. description: Annotations that should be added to the created ACME HTTP01 solver ingress.
  3064. type: object
  3065. additionalProperties:
  3066. type: string
  3067. labels:
  3068. description: Labels that should be added to the created ACME HTTP01 solver ingress.
  3069. type: object
  3070. additionalProperties:
  3071. type: string
  3072. name:
  3073. description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
  3074. type: string
  3075. podTemplate:
  3076. description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
  3077. type: object
  3078. properties:
  3079. metadata:
  3080. description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
  3081. type: object
  3082. properties:
  3083. annotations:
  3084. description: Annotations that should be added to the create ACME HTTP01 solver pods.
  3085. type: object
  3086. additionalProperties:
  3087. type: string
  3088. labels:
  3089. description: Labels that should be added to the created ACME HTTP01 solver pods.
  3090. type: object
  3091. additionalProperties:
  3092. type: string
  3093. spec:
  3094. description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
  3095. type: object
  3096. properties:
  3097. affinity:
  3098. description: If specified, the pod's scheduling constraints
  3099. type: object
  3100. properties:
  3101. nodeAffinity:
  3102. description: Describes node affinity scheduling rules for the pod.
  3103. type: object
  3104. properties:
  3105. preferredDuringSchedulingIgnoredDuringExecution:
  3106. description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
  3107. type: array
  3108. items:
  3109. description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
  3110. type: object
  3111. required:
  3112. - preference
  3113. - weight
  3114. properties:
  3115. preference:
  3116. description: A node selector term, associated with the corresponding weight.
  3117. type: object
  3118. properties:
  3119. matchExpressions:
  3120. description: A list of node selector requirements by node's labels.
  3121. type: array
  3122. items:
  3123. description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  3124. type: object
  3125. required:
  3126. - key
  3127. - operator
  3128. properties:
  3129. key:
  3130. description: The label key that the selector applies to.
  3131. type: string
  3132. operator:
  3133. description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
  3134. type: string
  3135. values:
  3136. description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
  3137. type: array
  3138. items:
  3139. type: string
  3140. matchFields:
  3141. description: A list of node selector requirements by node's fields.
  3142. type: array
  3143. items:
  3144. description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  3145. type: object
  3146. required:
  3147. - key
  3148. - operator
  3149. properties:
  3150. key:
  3151. description: The label key that the selector applies to.
  3152. type: string
  3153. operator:
  3154. description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
  3155. type: string
  3156. values:
  3157. description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
  3158. type: array
  3159. items:
  3160. type: string
  3161. x-kubernetes-map-type: atomic
  3162. weight:
  3163. description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
  3164. type: integer
  3165. format: int32
  3166. requiredDuringSchedulingIgnoredDuringExecution:
  3167. description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
  3168. type: object
  3169. required:
  3170. - nodeSelectorTerms
  3171. properties:
  3172. nodeSelectorTerms:
  3173. description: Required. A list of node selector terms. The terms are ORed.
  3174. type: array
  3175. items:
  3176. description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
  3177. type: object
  3178. properties:
  3179. matchExpressions:
  3180. description: A list of node selector requirements by node's labels.
  3181. type: array
  3182. items:
  3183. description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  3184. type: object
  3185. required:
  3186. - key
  3187. - operator
  3188. properties:
  3189. key:
  3190. description: The label key that the selector applies to.
  3191. type: string
  3192. operator:
  3193. description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
  3194. type: string
  3195. values:
  3196. description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
  3197. type: array
  3198. items:
  3199. type: string
  3200. matchFields:
  3201. description: A list of node selector requirements by node's fields.
  3202. type: array
  3203. items:
  3204. description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  3205. type: object
  3206. required:
  3207. - key
  3208. - operator
  3209. properties:
  3210. key:
  3211. description: The label key that the selector applies to.
  3212. type: string
  3213. operator:
  3214. description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
  3215. type: string
  3216. values:
  3217. description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
  3218. type: array
  3219. items:
  3220. type: string
  3221. x-kubernetes-map-type: atomic
  3222. x-kubernetes-map-type: atomic
  3223. podAffinity:
  3224. description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
  3225. type: object
  3226. properties:
  3227. preferredDuringSchedulingIgnoredDuringExecution:
  3228. description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
  3229. type: array
  3230. items:
  3231. description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
  3232. type: object
  3233. required:
  3234. - podAffinityTerm
  3235. - weight
  3236. properties:
  3237. podAffinityTerm:
  3238. description: Required. A pod affinity term, associated with the corresponding weight.
  3239. type: object
  3240. required:
  3241. - topologyKey
  3242. properties:
  3243. labelSelector:
  3244. description: A label query over a set of resources, in this case pods.
  3245. type: object
  3246. properties:
  3247. matchExpressions:
  3248. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  3249. type: array
  3250. items:
  3251. description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  3252. type: object
  3253. required:
  3254. - key
  3255. - operator
  3256. properties:
  3257. key:
  3258. description: key is the label key that the selector applies to.
  3259. type: string
  3260. operator:
  3261. description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
  3262. type: string
  3263. values:
  3264. description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
  3265. type: array
  3266. items:
  3267. type: string
  3268. matchLabels:
  3269. description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
  3270. type: object
  3271. additionalProperties:
  3272. type: string
  3273. x-kubernetes-map-type: atomic
  3274. namespaceSelector:
  3275. description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
  3276. type: object
  3277. properties:
  3278. matchExpressions:
  3279. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  3280. type: array
  3281. items:
  3282. description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  3283. type: object
  3284. required:
  3285. - key
  3286. - operator
  3287. properties:
  3288. key:
  3289. description: key is the label key that the selector applies to.
  3290. type: string
  3291. operator:
  3292. description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
  3293. type: string
  3294. values:
  3295. description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
  3296. type: array
  3297. items:
  3298. type: string
  3299. matchLabels:
  3300. description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
  3301. type: object
  3302. additionalProperties:
  3303. type: string
  3304. x-kubernetes-map-type: atomic
  3305. namespaces:
  3306. description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
  3307. type: array
  3308. items:
  3309. type: string
  3310. topologyKey:
  3311. description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
  3312. type: string
  3313. weight:
  3314. description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
  3315. type: integer
  3316. format: int32
  3317. requiredDuringSchedulingIgnoredDuringExecution:
  3318. description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
  3319. type: array
  3320. items:
  3321. description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
  3322. type: object
  3323. required:
  3324. - topologyKey
  3325. properties:
  3326. labelSelector:
  3327. description: A label query over a set of resources, in this case pods.
  3328. type: object
  3329. properties:
  3330. matchExpressions:
  3331. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  3332. type: array
  3333. items:
  3334. description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  3335. type: object
  3336. required:
  3337. - key
  3338. - operator
  3339. properties:
  3340. key:
  3341. description: key is the label key that the selector applies to.
  3342. type: string
  3343. operator:
  3344. description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
  3345. type: string
  3346. values:
  3347. description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
  3348. type: array
  3349. items:
  3350. type: string
  3351. matchLabels:
  3352. description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
  3353. type: object
  3354. additionalProperties:
  3355. type: string
  3356. x-kubernetes-map-type: atomic
  3357. namespaceSelector:
  3358. description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
  3359. type: object
  3360. properties:
  3361. matchExpressions:
  3362. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  3363. type: array
  3364. items:
  3365. description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  3366. type: object
  3367. required:
  3368. - key
  3369. - operator
  3370. properties:
  3371. key:
  3372. description: key is the label key that the selector applies to.
  3373. type: string
  3374. operator:
  3375. description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
  3376. type: string
  3377. values:
  3378. description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
  3379. type: array
  3380. items:
  3381. type: string
  3382. matchLabels:
  3383. description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
  3384. type: object
  3385. additionalProperties:
  3386. type: string
  3387. x-kubernetes-map-type: atomic
  3388. namespaces:
  3389. description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
  3390. type: array
  3391. items:
  3392. type: string
  3393. topologyKey:
  3394. description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
  3395. type: string
  3396. podAntiAffinity:
  3397. description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
  3398. type: object
  3399. properties:
  3400. preferredDuringSchedulingIgnoredDuringExecution:
  3401. description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
  3402. type: array
  3403. items:
  3404. description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
  3405. type: object
  3406. required:
  3407. - podAffinityTerm
  3408. - weight
  3409. properties:
  3410. podAffinityTerm:
  3411. description: Required. A pod affinity term, associated with the corresponding weight.
  3412. type: object
  3413. required:
  3414. - topologyKey
  3415. properties:
  3416. labelSelector:
  3417. description: A label query over a set of resources, in this case pods.
  3418. type: object
  3419. properties:
  3420. matchExpressions:
  3421. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  3422. type: array
  3423. items:
  3424. description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  3425. type: object
  3426. required:
  3427. - key
  3428. - operator
  3429. properties:
  3430. key:
  3431. description: key is the label key that the selector applies to.
  3432. type: string
  3433. operator:
  3434. description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
  3435. type: string
  3436. values:
  3437. description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
  3438. type: array
  3439. items:
  3440. type: string
  3441. matchLabels:
  3442. description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
  3443. type: object
  3444. additionalProperties:
  3445. type: string
  3446. x-kubernetes-map-type: atomic
  3447. namespaceSelector:
  3448. description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
  3449. type: object
  3450. properties:
  3451. matchExpressions:
  3452. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  3453. type: array
  3454. items:
  3455. description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  3456. type: object
  3457. required:
  3458. - key
  3459. - operator
  3460. properties:
  3461. key:
  3462. description: key is the label key that the selector applies to.
  3463. type: string
  3464. operator:
  3465. description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
  3466. type: string
  3467. values:
  3468. description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
  3469. type: array
  3470. items:
  3471. type: string
  3472. matchLabels:
  3473. description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
  3474. type: object
  3475. additionalProperties:
  3476. type: string
  3477. x-kubernetes-map-type: atomic
  3478. namespaces:
  3479. description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
  3480. type: array
  3481. items:
  3482. type: string
  3483. topologyKey:
  3484. description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
  3485. type: string
  3486. weight:
  3487. description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
  3488. type: integer
  3489. format: int32
  3490. requiredDuringSchedulingIgnoredDuringExecution:
  3491. description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
  3492. type: array
  3493. items:
  3494. description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
  3495. type: object
  3496. required:
  3497. - topologyKey
  3498. properties:
  3499. labelSelector:
  3500. description: A label query over a set of resources, in this case pods.
  3501. type: object
  3502. properties:
  3503. matchExpressions:
  3504. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  3505. type: array
  3506. items:
  3507. description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  3508. type: object
  3509. required:
  3510. - key
  3511. - operator
  3512. properties:
  3513. key:
  3514. description: key is the label key that the selector applies to.
  3515. type: string
  3516. operator:
  3517. description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
  3518. type: string
  3519. values:
  3520. description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
  3521. type: array
  3522. items:
  3523. type: string
  3524. matchLabels:
  3525. description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
  3526. type: object
  3527. additionalProperties:
  3528. type: string
  3529. x-kubernetes-map-type: atomic
  3530. namespaceSelector:
  3531. description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
  3532. type: object
  3533. properties:
  3534. matchExpressions:
  3535. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  3536. type: array
  3537. items:
  3538. description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  3539. type: object
  3540. required:
  3541. - key
  3542. - operator
  3543. properties:
  3544. key:
  3545. description: key is the label key that the selector applies to.
  3546. type: string
  3547. operator:
  3548. description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
  3549. type: string
  3550. values:
  3551. description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
  3552. type: array
  3553. items:
  3554. type: string
  3555. matchLabels:
  3556. description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
  3557. type: object
  3558. additionalProperties:
  3559. type: string
  3560. x-kubernetes-map-type: atomic
  3561. namespaces:
  3562. description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
  3563. type: array
  3564. items:
  3565. type: string
  3566. topologyKey:
  3567. description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
  3568. type: string
  3569. nodeSelector:
  3570. description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
  3571. type: object
  3572. additionalProperties:
  3573. type: string
  3574. priorityClassName:
  3575. description: If specified, the pod's priorityClassName.
  3576. type: string
  3577. serviceAccountName:
  3578. description: If specified, the pod's service account
  3579. type: string
  3580. tolerations:
  3581. description: If specified, the pod's tolerations.
  3582. type: array
  3583. items:
  3584. description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
  3585. type: object
  3586. properties:
  3587. effect:
  3588. description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
  3589. type: string
  3590. key:
  3591. description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
  3592. type: string
  3593. operator:
  3594. description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
  3595. type: string
  3596. tolerationSeconds:
  3597. description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
  3598. type: integer
  3599. format: int64
  3600. value:
  3601. description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
  3602. type: string
  3603. serviceType:
  3604. description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
  3605. type: string
  3606. selector:
  3607. description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
  3608. type: object
  3609. properties:
  3610. dnsNames:
  3611. description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
  3612. type: array
  3613. items:
  3614. type: string
  3615. dnsZones:
  3616. description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
  3617. type: array
  3618. items:
  3619. type: string
  3620. matchLabels:
  3621. description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
  3622. type: object
  3623. additionalProperties:
  3624. type: string
  3625. ca:
  3626. description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
  3627. type: object
  3628. required:
  3629. - secretName
  3630. properties:
  3631. crlDistributionPoints:
  3632. description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
  3633. type: array
  3634. items:
  3635. type: string
  3636. ocspServers:
  3637. description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
  3638. type: array
  3639. items:
  3640. type: string
  3641. secretName:
  3642. description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
  3643. type: string
  3644. selfSigned:
  3645. description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
  3646. type: object
  3647. properties:
  3648. crlDistributionPoints:
  3649. description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
  3650. type: array
  3651. items:
  3652. type: string
  3653. vault:
  3654. description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
  3655. type: object
  3656. required:
  3657. - auth
  3658. - path
  3659. - server
  3660. properties:
  3661. auth:
  3662. description: Auth configures how cert-manager authenticates with the Vault server.
  3663. type: object
  3664. properties:
  3665. appRole:
  3666. description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
  3667. type: object
  3668. required:
  3669. - path
  3670. - roleId
  3671. - secretRef
  3672. properties:
  3673. path:
  3674. description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
  3675. type: string
  3676. roleId:
  3677. description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
  3678. type: string
  3679. secretRef:
  3680. description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
  3681. type: object
  3682. required:
  3683. - name
  3684. properties:
  3685. key:
  3686. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3687. type: string
  3688. name:
  3689. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  3690. type: string
  3691. kubernetes:
  3692. description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
  3693. type: object
  3694. required:
  3695. - role
  3696. - secretRef
  3697. properties:
  3698. mountPath:
  3699. description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
  3700. type: string
  3701. role:
  3702. description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
  3703. type: string
  3704. secretRef:
  3705. description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
  3706. type: object
  3707. required:
  3708. - name
  3709. properties:
  3710. key:
  3711. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3712. type: string
  3713. name:
  3714. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  3715. type: string
  3716. tokenSecretRef:
  3717. description: TokenSecretRef authenticates with Vault by presenting a token.
  3718. type: object
  3719. required:
  3720. - name
  3721. properties:
  3722. key:
  3723. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3724. type: string
  3725. name:
  3726. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  3727. type: string
  3728. caBundle:
  3729. description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the cert-manager controller system root certificates are used to validate the TLS connection.
  3730. type: string
  3731. format: byte
  3732. caBundleSecretRef:
  3733. description: CABundleSecretRef is a reference to a Secret which contains the CABundle which will be used when connecting to Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundleSecretRef nor CABundle are defined, the cert-manager controller system root certificates are used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
  3734. type: object
  3735. required:
  3736. - name
  3737. properties:
  3738. key:
  3739. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3740. type: string
  3741. name:
  3742. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  3743. type: string
  3744. namespace:
  3745. description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
  3746. type: string
  3747. path:
  3748. description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
  3749. type: string
  3750. server:
  3751. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  3752. type: string
  3753. venafi:
  3754. description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
  3755. type: object
  3756. required:
  3757. - zone
  3758. properties:
  3759. cloud:
  3760. description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
  3761. type: object
  3762. required:
  3763. - apiTokenSecretRef
  3764. properties:
  3765. apiTokenSecretRef:
  3766. description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
  3767. type: object
  3768. required:
  3769. - name
  3770. properties:
  3771. key:
  3772. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3773. type: string
  3774. name:
  3775. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  3776. type: string
  3777. url:
  3778. description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
  3779. type: string
  3780. tpp:
  3781. description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
  3782. type: object
  3783. required:
  3784. - credentialsRef
  3785. - url
  3786. properties:
  3787. caBundle:
  3788. description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
  3789. type: string
  3790. format: byte
  3791. credentialsRef:
  3792. description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
  3793. type: object
  3794. required:
  3795. - name
  3796. properties:
  3797. name:
  3798. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  3799. type: string
  3800. url:
  3801. description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
  3802. type: string
  3803. zone:
  3804. description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
  3805. type: string
  3806. status:
  3807. description: Status of the Issuer. This is set and managed automatically.
  3808. type: object
  3809. properties:
  3810. acme:
  3811. description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
  3812. type: object
  3813. properties:
  3814. lastRegisteredEmail:
  3815. description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
  3816. type: string
  3817. uri:
  3818. description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
  3819. type: string
  3820. conditions:
  3821. description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
  3822. type: array
  3823. items:
  3824. description: IssuerCondition contains condition information for an Issuer.
  3825. type: object
  3826. required:
  3827. - status
  3828. - type
  3829. properties:
  3830. lastTransitionTime:
  3831. description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
  3832. type: string
  3833. format: date-time
  3834. message:
  3835. description: Message is a human readable description of the details of the last transition, complementing reason.
  3836. type: string
  3837. observedGeneration:
  3838. description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
  3839. type: integer
  3840. format: int64
  3841. reason:
  3842. description: Reason is a brief machine readable explanation for the condition's last transition.
  3843. type: string
  3844. status:
  3845. description: Status of the condition, one of (`True`, `False`, `Unknown`).
  3846. type: string
  3847. enum:
  3848. - "True"
  3849. - "False"
  3850. - Unknown
  3851. type:
  3852. description: Type of the condition, known values are (`Ready`).
  3853. type: string
  3854. x-kubernetes-list-map-keys:
  3855. - type
  3856. x-kubernetes-list-type: map
  3857. served: true
  3858. storage: true
  3859. ---
  3860. # Source: cert-manager/templates/crds.yaml
  3861. apiVersion: apiextensions.k8s.io/v1
  3862. kind: CustomResourceDefinition
  3863. metadata:
  3864. name: certificates.cert-manager.io
  3865. labels:
  3866. app: 'cert-manager'
  3867. app.kubernetes.io/name: 'cert-manager'
  3868. app.kubernetes.io/instance: 'cert-manager'
  3869. # Generated labels
  3870. app.kubernetes.io/version: "v1.10.1"
  3871. spec:
  3872. group: cert-manager.io
  3873. names:
  3874. kind: Certificate
  3875. listKind: CertificateList
  3876. plural: certificates
  3877. shortNames:
  3878. - cert
  3879. - certs
  3880. singular: certificate
  3881. categories:
  3882. - cert-manager
  3883. scope: Namespaced
  3884. versions:
  3885. - name: v1
  3886. subresources:
  3887. status: {}
  3888. additionalPrinterColumns:
  3889. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  3890. name: Ready
  3891. type: string
  3892. - jsonPath: .spec.secretName
  3893. name: Secret
  3894. type: string
  3895. - jsonPath: .spec.issuerRef.name
  3896. name: Issuer
  3897. priority: 1
  3898. type: string
  3899. - jsonPath: .status.conditions[?(@.type=="Ready")].message
  3900. name: Status
  3901. priority: 1
  3902. type: string
  3903. - jsonPath: .metadata.creationTimestamp
  3904. description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
  3905. name: Age
  3906. type: date
  3907. schema:
  3908. openAPIV3Schema:
  3909. description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)."
  3910. type: object
  3911. required:
  3912. - spec
  3913. properties:
  3914. apiVersion:
  3915. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  3916. type: string
  3917. kind:
  3918. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  3919. type: string
  3920. metadata:
  3921. type: object
  3922. spec:
  3923. description: Desired state of the Certificate resource.
  3924. type: object
  3925. required:
  3926. - issuerRef
  3927. - secretName
  3928. properties:
  3929. additionalOutputFormats:
  3930. description: AdditionalOutputFormats defines extra output formats of the private key and signed certificate chain to be written to this Certificate's target Secret. This is an Alpha Feature and is only enabled with the `--feature-gates=AdditionalCertificateOutputFormats=true` option on both the controller and webhook components.
  3931. type: array
  3932. items:
  3933. description: CertificateAdditionalOutputFormat defines an additional output format of a Certificate resource. These contain supplementary data formats of the signed certificate chain and paired private key.
  3934. type: object
  3935. required:
  3936. - type
  3937. properties:
  3938. type:
  3939. description: Type is the name of the format type that should be written to the Certificate's target Secret.
  3940. type: string
  3941. enum:
  3942. - DER
  3943. - CombinedPEM
  3944. commonName:
  3945. description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
  3946. type: string
  3947. dnsNames:
  3948. description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate.
  3949. type: array
  3950. items:
  3951. type: string
  3952. duration:
  3953. description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
  3954. type: string
  3955. emailAddresses:
  3956. description: EmailAddresses is a list of email subjectAltNames to be set on the Certificate.
  3957. type: array
  3958. items:
  3959. type: string
  3960. encodeUsagesInRequest:
  3961. description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest
  3962. type: boolean
  3963. ipAddresses:
  3964. description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
  3965. type: array
  3966. items:
  3967. type: string
  3968. isCA:
  3969. description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`.
  3970. type: boolean
  3971. issuerRef:
  3972. description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times.
  3973. type: object
  3974. required:
  3975. - name
  3976. properties:
  3977. group:
  3978. description: Group of the resource being referred to.
  3979. type: string
  3980. kind:
  3981. description: Kind of the resource being referred to.
  3982. type: string
  3983. name:
  3984. description: Name of the resource being referred to.
  3985. type: string
  3986. keystores:
  3987. description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource.
  3988. type: object
  3989. properties:
  3990. jks:
  3991. description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource.
  3992. type: object
  3993. required:
  3994. - create
  3995. - passwordSecretRef
  3996. properties:
  3997. create:
  3998. description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority
  3999. type: boolean
  4000. passwordSecretRef:
  4001. description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore.
  4002. type: object
  4003. required:
  4004. - name
  4005. properties:
  4006. key:
  4007. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4008. type: string
  4009. name:
  4010. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  4011. type: string
  4012. pkcs12:
  4013. description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource.
  4014. type: object
  4015. required:
  4016. - create
  4017. - passwordSecretRef
  4018. properties:
  4019. create:
  4020. description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority
  4021. type: boolean
  4022. passwordSecretRef:
  4023. description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore.
  4024. type: object
  4025. required:
  4026. - name
  4027. properties:
  4028. key:
  4029. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4030. type: string
  4031. name:
  4032. description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
  4033. type: string
  4034. literalSubject:
  4035. description: LiteralSubject is an LDAP formatted string that represents the [X.509 Subject field](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6). Use this *instead* of the Subject field if you need to ensure the correct ordering of the RDN sequence, such as when issuing certs for LDAP authentication. See https://github.com/cert-manager/cert-manager/issues/3203, https://github.com/cert-manager/cert-manager/issues/4424. This field is alpha level and is only supported by cert-manager installations where LiteralCertificateSubject feature gate is enabled on both cert-manager controller and webhook.
  4036. type: string
  4037. privateKey:
  4038. description: Options to control private keys used for the Certificate.
  4039. type: object
  4040. properties:
  4041. algorithm:
  4042. description: Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified and `size` is not provided, key size of 256 will be used for `ECDSA` key algorithm and key size of 2048 will be used for `RSA` key algorithm. key size is ignored when using the `Ed25519` key algorithm.
  4043. type: string
  4044. enum:
  4045. - RSA
  4046. - ECDSA
  4047. - Ed25519
  4048. encoding:
  4049. description: The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified.
  4050. type: string
  4051. enum:
  4052. - PKCS1
  4053. - PKCS8
  4054. rotationPolicy:
  4055. description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility.
  4056. type: string
  4057. enum:
  4058. - Never
  4059. - Always
  4060. size:
  4061. description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed.
  4062. type: integer
  4063. renewBefore:
  4064. description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
  4065. type: string
  4066. revisionHistoryLimit:
  4067. description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`.
  4068. type: integer
  4069. format: int32
  4070. secretName:
  4071. description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer.
  4072. type: string
  4073. secretTemplate:
  4074. description: SecretTemplate defines annotations and labels to be copied to the Certificate's Secret. Labels and annotations on the Secret will be changed as they appear on the SecretTemplate when added or removed. SecretTemplate annotations are added in conjunction with, and cannot overwrite, the base set of annotations cert-manager sets on the Certificate's Secret.
  4075. type: object
  4076. properties:
  4077. annotations:
  4078. description: Annotations is a key value map to be copied to the target Kubernetes Secret.
  4079. type: object
  4080. additionalProperties:
  4081. type: string
  4082. labels:
  4083. description: Labels is a key value map to be copied to the target Kubernetes Secret.
  4084. type: object
  4085. additionalProperties:
  4086. type: string
  4087. subject:
  4088. description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
  4089. type: object
  4090. properties:
  4091. countries:
  4092. description: Countries to be used on the Certificate.
  4093. type: array
  4094. items:
  4095. type: string
  4096. localities:
  4097. description: Cities to be used on the Certificate.
  4098. type: array
  4099. items:
  4100. type: string
  4101. organizationalUnits:
  4102. description: Organizational Units to be used on the Certificate.
  4103. type: array
  4104. items:
  4105. type: string
  4106. organizations:
  4107. description: Organizations to be used on the Certificate.
  4108. type: array
  4109. items:
  4110. type: string
  4111. postalCodes:
  4112. description: Postal codes to be used on the Certificate.
  4113. type: array
  4114. items:
  4115. type: string
  4116. provinces:
  4117. description: State/Provinces to be used on the Certificate.
  4118. type: array
  4119. items:
  4120. type: string
  4121. serialNumber:
  4122. description: Serial number to be used on the Certificate.
  4123. type: string
  4124. streetAddresses:
  4125. description: Street addresses to be used on the Certificate.
  4126. type: array
  4127. items:
  4128. type: string
  4129. uris:
  4130. description: URIs is a list of URI subjectAltNames to be set on the Certificate.
  4131. type: array
  4132. items:
  4133. type: string
  4134. usages:
  4135. description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
  4136. type: array
  4137. items:
  4138. description: "KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 \n Valid KeyUsage values are as follows: \"signing\", \"digital signature\", \"content commitment\", \"key encipherment\", \"key agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", \"encipher only\", \"decipher only\", \"any\", \"server auth\", \"client auth\", \"code signing\", \"email protection\", \"s/mime\", \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\""
  4139. type: string
  4140. enum:
  4141. - signing
  4142. - digital signature
  4143. - content commitment
  4144. - key encipherment
  4145. - key agreement
  4146. - data encipherment
  4147. - cert sign
  4148. - crl sign
  4149. - encipher only
  4150. - decipher only
  4151. - any
  4152. - server auth
  4153. - client auth
  4154. - code signing
  4155. - email protection
  4156. - s/mime
  4157. - ipsec end system
  4158. - ipsec tunnel
  4159. - ipsec user
  4160. - timestamping
  4161. - ocsp signing
  4162. - microsoft sgc
  4163. - netscape sgc
  4164. status:
  4165. description: Status of the Certificate. This is set and managed automatically.
  4166. type: object
  4167. properties:
  4168. conditions:
  4169. description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`.
  4170. type: array
  4171. items:
  4172. description: CertificateCondition contains condition information for an Certificate.
  4173. type: object
  4174. required:
  4175. - status
  4176. - type
  4177. properties:
  4178. lastTransitionTime:
  4179. description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
  4180. type: string
  4181. format: date-time
  4182. message:
  4183. description: Message is a human readable description of the details of the last transition, complementing reason.
  4184. type: string
  4185. observedGeneration:
  4186. description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate.
  4187. type: integer
  4188. format: int64
  4189. reason:
  4190. description: Reason is a brief machine readable explanation for the condition's last transition.
  4191. type: string
  4192. status:
  4193. description: Status of the condition, one of (`True`, `False`, `Unknown`).
  4194. type: string
  4195. enum:
  4196. - "True"
  4197. - "False"
  4198. - Unknown
  4199. type:
  4200. description: Type of the condition, known values are (`Ready`, `Issuing`).
  4201. type: string
  4202. x-kubernetes-list-map-keys:
  4203. - type
  4204. x-kubernetes-list-type: map
  4205. failedIssuanceAttempts:
  4206. description: The number of continuous failed issuance attempts up till now. This field gets removed (if set) on a successful issuance and gets set to 1 if unset and an issuance has failed. If an issuance has failed, the delay till the next issuance will be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1).
  4207. type: integer
  4208. lastFailureTime:
  4209. description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time.
  4210. type: string
  4211. format: date-time
  4212. nextPrivateKeySecretName:
  4213. description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False.
  4214. type: string
  4215. notAfter:
  4216. description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`.
  4217. type: string
  4218. format: date-time
  4219. notBefore:
  4220. description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid.
  4221. type: string
  4222. format: date-time
  4223. renewalTime:
  4224. description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled.
  4225. type: string
  4226. format: date-time
  4227. revision:
  4228. description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field."
  4229. type: integer
  4230. served: true
  4231. storage: true
  4232. ---
  4233. # Source: cert-manager/templates/crds.yaml
  4234. apiVersion: apiextensions.k8s.io/v1
  4235. kind: CustomResourceDefinition
  4236. metadata:
  4237. name: orders.acme.cert-manager.io
  4238. labels:
  4239. app: 'cert-manager'
  4240. app.kubernetes.io/name: 'cert-manager'
  4241. app.kubernetes.io/instance: 'cert-manager'
  4242. # Generated labels
  4243. app.kubernetes.io/version: "v1.10.1"
  4244. spec:
  4245. group: acme.cert-manager.io
  4246. names:
  4247. kind: Order
  4248. listKind: OrderList
  4249. plural: orders
  4250. singular: order
  4251. categories:
  4252. - cert-manager
  4253. - cert-manager-acme
  4254. scope: Namespaced
  4255. versions:
  4256. - name: v1
  4257. subresources:
  4258. status: {}
  4259. additionalPrinterColumns:
  4260. - jsonPath: .status.state
  4261. name: State
  4262. type: string
  4263. - jsonPath: .spec.issuerRef.name
  4264. name: Issuer
  4265. priority: 1
  4266. type: string
  4267. - jsonPath: .status.reason
  4268. name: Reason
  4269. priority: 1
  4270. type: string
  4271. - jsonPath: .metadata.creationTimestamp
  4272. description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
  4273. name: Age
  4274. type: date
  4275. schema:
  4276. openAPIV3Schema:
  4277. description: Order is a type to represent an Order with an ACME server
  4278. type: object
  4279. required:
  4280. - metadata
  4281. - spec
  4282. properties:
  4283. apiVersion:
  4284. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  4285. type: string
  4286. kind:
  4287. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  4288. type: string
  4289. metadata:
  4290. type: object
  4291. spec:
  4292. type: object
  4293. required:
  4294. - issuerRef
  4295. - request
  4296. properties:
  4297. commonName:
  4298. description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
  4299. type: string
  4300. dnsNames:
  4301. description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
  4302. type: array
  4303. items:
  4304. type: string
  4305. duration:
  4306. description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
  4307. type: string
  4308. ipAddresses:
  4309. description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
  4310. type: array
  4311. items:
  4312. type: string
  4313. issuerRef:
  4314. description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
  4315. type: object
  4316. required:
  4317. - name
  4318. properties:
  4319. group:
  4320. description: Group of the resource being referred to.
  4321. type: string
  4322. kind:
  4323. description: Kind of the resource being referred to.
  4324. type: string
  4325. name:
  4326. description: Name of the resource being referred to.
  4327. type: string
  4328. request:
  4329. description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
  4330. type: string
  4331. format: byte
  4332. status:
  4333. type: object
  4334. properties:
  4335. authorizations:
  4336. description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.
  4337. type: array
  4338. items:
  4339. description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
  4340. type: object
  4341. required:
  4342. - url
  4343. properties:
  4344. challenges:
  4345. description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
  4346. type: array
  4347. items:
  4348. description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
  4349. type: object
  4350. required:
  4351. - token
  4352. - type
  4353. - url
  4354. properties:
  4355. token:
  4356. description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
  4357. type: string
  4358. type:
  4359. description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.
  4360. type: string
  4361. url:
  4362. description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
  4363. type: string
  4364. identifier:
  4365. description: Identifier is the DNS name to be validated as part of this authorization
  4366. type: string
  4367. initialState:
  4368. description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.
  4369. type: string
  4370. enum:
  4371. - valid
  4372. - ready
  4373. - pending
  4374. - processing
  4375. - invalid
  4376. - expired
  4377. - errored
  4378. url:
  4379. description: URL is the URL of the Authorization that must be completed
  4380. type: string
  4381. wildcard:
  4382. description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
  4383. type: boolean
  4384. certificate:
  4385. description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
  4386. type: string
  4387. format: byte
  4388. failureTime:
  4389. description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
  4390. type: string
  4391. format: date-time
  4392. finalizeURL:
  4393. description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
  4394. type: string
  4395. reason:
  4396. description: Reason optionally provides more information about a why the order is in the current state.
  4397. type: string
  4398. state:
  4399. description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
  4400. type: string
  4401. enum:
  4402. - valid
  4403. - ready
  4404. - pending
  4405. - processing
  4406. - invalid
  4407. - expired
  4408. - errored
  4409. url:
  4410. description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
  4411. type: string
  4412. served: true
  4413. storage: true