Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / 3dd3ff5dcdc72228f351dca35ab16aa7be4bb22f / . / cluster / kube / lib / cert-manager.crds.yaml
blob: 5e7b8e0b93dba8b10723d78b3294c0f1572b99e9 [file] [log] [blame]
Serge Bazanski3dd3ff52023-03-31 22:40:09 +0000[diff] [blame^]1# Copyright 2021 The cert-manager Authors.
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15---
16# Source: cert-manager/templates/templates.out
17apiVersion: apiextensions.k8s.io/v1
18kind: CustomResourceDefinition
19metadata:
20 name: certificaterequests.cert-manager.io
21 annotations:
22 cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
23 labels:
24 app: 'cert-manager'
25 app.kubernetes.io/name: 'cert-manager'
26 app.kubernetes.io/instance: 'cert-manager'
27 # Generated labels
28 app.kubernetes.io/version: "v1.5.4"
29spec:
30 group: cert-manager.io
31 names:
32 kind: CertificateRequest
33 listKind: CertificateRequestList
34 plural: certificaterequests
35 shortNames:
36 - cr
37 - crs
38 singular: certificaterequest
39 categories:
40 - cert-manager
41 scope: Namespaced
42 conversion:
43 # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
44 strategy: Webhook
45 # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
46 webhook:
47 # We don't actually support `v1beta1` but is listed here as it is a
48 # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The
49 # API server reads the supported versions in order, so _should always_
50 # attempt a `v1` request which is understood by the cert-manager webhook.
51 # Any `v1beta1` request will return an error and fail closed for that
52 # resource (the whole object request is rejected).
53 # When we no longer support v1.16 we can remove `v1beta1` from this list.
54 conversionReviewVersions: ["v1", "v1beta1"]
55 clientConfig:
56 #
57 service:
58 name: 'cert-manager-webhook'
59 namespace: "cert-manager"
60 path: /convert
61 #
62 versions:
63 - name: v1alpha2
64 subresources:
65 status: {}
66 additionalPrinterColumns:
67 - jsonPath: .status.conditions[?(@.type=="Approved")].status
68 name: Approved
69 type: string
70 - jsonPath: .status.conditions[?(@.type=="Denied")].status
71 name: Denied
72 type: string
73 - jsonPath: .status.conditions[?(@.type=="Ready")].status
74 name: Ready
75 type: string
76 - jsonPath: .spec.issuerRef.name
77 name: Issuer
78 type: string
79 - jsonPath: .spec.username
80 name: Requestor
81 type: string
82 - jsonPath: .status.conditions[?(@.type=="Ready")].message
83 name: Status
84 priority: 1
85 type: string
86 - jsonPath: .metadata.creationTimestamp
87 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
88 name: Age
89 type: date
90 schema:
91 openAPIV3Schema:
92 description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used."
93 type: object
94 properties:
95 apiVersion:
96 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
97 type: string
98 kind:
99 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
100 type: string
101 metadata:
102 type: object
103 spec:
104 description: Desired state of the CertificateRequest resource.
105 type: object
106 required:
107 - csr
108 - issuerRef
109 properties:
110 csr:
111 description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing.
112 type: string
113 format: byte
114 duration:
115 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types.
116 type: string
117 extra:
118 description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
119 type: object
120 additionalProperties:
121 type: array
122 items:
123 type: string
124 groups:
125 description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
126 type: array
127 items:
128 type: string
129 x-kubernetes-list-type: atomic
130 isCA:
131 description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`.
132 type: boolean
133 issuerRef:
134 description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty.
135 type: object
136 required:
137 - name
138 properties:
139 group:
140 description: Group of the resource being referred to.
141 type: string
142 kind:
143 description: Kind of the resource being referred to.
144 type: string
145 name:
146 description: Name of the resource being referred to.
147 type: string
148 uid:
149 description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
150 type: string
151 usages:
152 description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
153 type: array
154 items:
155 description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
156 type: string
157 enum:
158 - signing
159 - digital signature
160 - content commitment
161 - key encipherment
162 - key agreement
163 - data encipherment
164 - cert sign
165 - crl sign
166 - encipher only
167 - decipher only
168 - any
169 - server auth
170 - client auth
171 - code signing
172 - email protection
173 - s/mime
174 - ipsec end system
175 - ipsec tunnel
176 - ipsec user
177 - timestamping
178 - ocsp signing
179 - microsoft sgc
180 - netscape sgc
181 username:
182 description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
183 type: string
184 status:
185 description: Status of the CertificateRequest. This is set and managed automatically.
186 type: object
187 properties:
188 ca:
189 description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.
190 type: string
191 format: byte
192 certificate:
193 description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.
194 type: string
195 format: byte
196 conditions:
197 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
198 type: array
199 items:
200 description: CertificateRequestCondition contains condition information for a CertificateRequest.
201 type: object
202 required:
203 - status
204 - type
205 properties:
206 lastTransitionTime:
207 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
208 type: string
209 format: date-time
210 message:
211 description: Message is a human readable description of the details of the last transition, complementing reason.
212 type: string
213 reason:
214 description: Reason is a brief machine readable explanation for the condition's last transition.
215 type: string
216 status:
217 description: Status of the condition, one of (`True`, `False`, `Unknown`).
218 type: string
219 enum:
220 - "True"
221 - "False"
222 - Unknown
223 type:
224 description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
225 type: string
226 failureTime:
227 description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
228 type: string
229 format: date-time
230 served: true
231 storage: false
232 - name: v1alpha3
233 subresources:
234 status: {}
235 additionalPrinterColumns:
236 - jsonPath: .status.conditions[?(@.type=="Approved")].status
237 name: Approved
238 type: string
239 - jsonPath: .status.conditions[?(@.type=="Denied")].status
240 name: Denied
241 type: string
242 - jsonPath: .status.conditions[?(@.type=="Ready")].status
243 name: Ready
244 type: string
245 - jsonPath: .spec.issuerRef.name
246 name: Issuer
247 type: string
248 - jsonPath: .spec.username
249 name: Requestor
250 type: string
251 - jsonPath: .status.conditions[?(@.type=="Ready")].message
252 name: Status
253 priority: 1
254 type: string
255 - jsonPath: .metadata.creationTimestamp
256 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
257 name: Age
258 type: date
259 schema:
260 openAPIV3Schema:
261 description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used."
262 type: object
263 properties:
264 apiVersion:
265 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
266 type: string
267 kind:
268 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
269 type: string
270 metadata:
271 type: object
272 spec:
273 description: Desired state of the CertificateRequest resource.
274 type: object
275 required:
276 - csr
277 - issuerRef
278 properties:
279 csr:
280 description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing.
281 type: string
282 format: byte
283 duration:
284 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types.
285 type: string
286 extra:
287 description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
288 type: object
289 additionalProperties:
290 type: array
291 items:
292 type: string
293 groups:
294 description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
295 type: array
296 items:
297 type: string
298 x-kubernetes-list-type: atomic
299 isCA:
300 description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`.
301 type: boolean
302 issuerRef:
303 description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty.
304 type: object
305 required:
306 - name
307 properties:
308 group:
309 description: Group of the resource being referred to.
310 type: string
311 kind:
312 description: Kind of the resource being referred to.
313 type: string
314 name:
315 description: Name of the resource being referred to.
316 type: string
317 uid:
318 description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
319 type: string
320 usages:
321 description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
322 type: array
323 items:
324 description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
325 type: string
326 enum:
327 - signing
328 - digital signature
329 - content commitment
330 - key encipherment
331 - key agreement
332 - data encipherment
333 - cert sign
334 - crl sign
335 - encipher only
336 - decipher only
337 - any
338 - server auth
339 - client auth
340 - code signing
341 - email protection
342 - s/mime
343 - ipsec end system
344 - ipsec tunnel
345 - ipsec user
346 - timestamping
347 - ocsp signing
348 - microsoft sgc
349 - netscape sgc
350 username:
351 description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
352 type: string
353 status:
354 description: Status of the CertificateRequest. This is set and managed automatically.
355 type: object
356 properties:
357 ca:
358 description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.
359 type: string
360 format: byte
361 certificate:
362 description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.
363 type: string
364 format: byte
365 conditions:
366 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
367 type: array
368 items:
369 description: CertificateRequestCondition contains condition information for a CertificateRequest.
370 type: object
371 required:
372 - status
373 - type
374 properties:
375 lastTransitionTime:
376 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
377 type: string
378 format: date-time
379 message:
380 description: Message is a human readable description of the details of the last transition, complementing reason.
381 type: string
382 reason:
383 description: Reason is a brief machine readable explanation for the condition's last transition.
384 type: string
385 status:
386 description: Status of the condition, one of (`True`, `False`, `Unknown`).
387 type: string
388 enum:
389 - "True"
390 - "False"
391 - Unknown
392 type:
393 description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
394 type: string
395 failureTime:
396 description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
397 type: string
398 format: date-time
399 served: true
400 storage: false
401 - name: v1beta1
402 subresources:
403 status: {}
404 additionalPrinterColumns:
405 - jsonPath: .status.conditions[?(@.type=="Approved")].status
406 name: Approved
407 type: string
408 - jsonPath: .status.conditions[?(@.type=="Denied")].status
409 name: Denied
410 type: string
411 - jsonPath: .status.conditions[?(@.type=="Ready")].status
412 name: Ready
413 type: string
414 - jsonPath: .spec.issuerRef.name
415 name: Issuer
416 type: string
417 - jsonPath: .spec.username
418 name: Requestor
419 type: string
420 - jsonPath: .status.conditions[?(@.type=="Ready")].message
421 name: Status
422 priority: 1
423 type: string
424 - jsonPath: .metadata.creationTimestamp
425 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
426 name: Age
427 type: date
428 schema:
429 openAPIV3Schema:
430 description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used."
431 type: object
432 required:
433 - spec
434 properties:
435 apiVersion:
436 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
437 type: string
438 kind:
439 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
440 type: string
441 metadata:
442 type: object
443 spec:
444 description: Desired state of the CertificateRequest resource.
445 type: object
446 required:
447 - issuerRef
448 - request
449 properties:
450 duration:
451 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types.
452 type: string
453 extra:
454 description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
455 type: object
456 additionalProperties:
457 type: array
458 items:
459 type: string
460 groups:
461 description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
462 type: array
463 items:
464 type: string
465 x-kubernetes-list-type: atomic
466 isCA:
467 description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`.
468 type: boolean
469 issuerRef:
470 description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty.
471 type: object
472 required:
473 - name
474 properties:
475 group:
476 description: Group of the resource being referred to.
477 type: string
478 kind:
479 description: Kind of the resource being referred to.
480 type: string
481 name:
482 description: Name of the resource being referred to.
483 type: string
484 request:
485 description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing.
486 type: string
487 format: byte
488 uid:
489 description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
490 type: string
491 usages:
492 description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
493 type: array
494 items:
495 description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
496 type: string
497 enum:
498 - signing
499 - digital signature
500 - content commitment
501 - key encipherment
502 - key agreement
503 - data encipherment
504 - cert sign
505 - crl sign
506 - encipher only
507 - decipher only
508 - any
509 - server auth
510 - client auth
511 - code signing
512 - email protection
513 - s/mime
514 - ipsec end system
515 - ipsec tunnel
516 - ipsec user
517 - timestamping
518 - ocsp signing
519 - microsoft sgc
520 - netscape sgc
521 username:
522 description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
523 type: string
524 status:
525 description: Status of the CertificateRequest. This is set and managed automatically.
526 type: object
527 properties:
528 ca:
529 description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.
530 type: string
531 format: byte
532 certificate:
533 description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.
534 type: string
535 format: byte
536 conditions:
537 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
538 type: array
539 items:
540 description: CertificateRequestCondition contains condition information for a CertificateRequest.
541 type: object
542 required:
543 - status
544 - type
545 properties:
546 lastTransitionTime:
547 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
548 type: string
549 format: date-time
550 message:
551 description: Message is a human readable description of the details of the last transition, complementing reason.
552 type: string
553 reason:
554 description: Reason is a brief machine readable explanation for the condition's last transition.
555 type: string
556 status:
557 description: Status of the condition, one of (`True`, `False`, `Unknown`).
558 type: string
559 enum:
560 - "True"
561 - "False"
562 - Unknown
563 type:
564 description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
565 type: string
566 failureTime:
567 description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
568 type: string
569 format: date-time
570 served: true
571 storage: false
572 - name: v1
573 subresources:
574 status: {}
575 additionalPrinterColumns:
576 - jsonPath: .status.conditions[?(@.type=="Approved")].status
577 name: Approved
578 type: string
579 - jsonPath: .status.conditions[?(@.type=="Denied")].status
580 name: Denied
581 type: string
582 - jsonPath: .status.conditions[?(@.type=="Ready")].status
583 name: Ready
584 type: string
585 - jsonPath: .spec.issuerRef.name
586 name: Issuer
587 type: string
588 - jsonPath: .spec.username
589 name: Requestor
590 type: string
591 - jsonPath: .status.conditions[?(@.type=="Ready")].message
592 name: Status
593 priority: 1
594 type: string
595 - jsonPath: .metadata.creationTimestamp
596 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
597 name: Age
598 type: date
599 schema:
600 openAPIV3Schema:
601 description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used."
602 type: object
603 required:
604 - spec
605 properties:
606 apiVersion:
607 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
608 type: string
609 kind:
610 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
611 type: string
612 metadata:
613 type: object
614 spec:
615 description: Desired state of the CertificateRequest resource.
616 type: object
617 required:
618 - issuerRef
619 - request
620 properties:
621 duration:
622 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types.
623 type: string
624 extra:
625 description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
626 type: object
627 additionalProperties:
628 type: array
629 items:
630 type: string
631 groups:
632 description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
633 type: array
634 items:
635 type: string
636 x-kubernetes-list-type: atomic
637 isCA:
638 description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`.
639 type: boolean
640 issuerRef:
641 description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty.
642 type: object
643 required:
644 - name
645 properties:
646 group:
647 description: Group of the resource being referred to.
648 type: string
649 kind:
650 description: Kind of the resource being referred to.
651 type: string
652 name:
653 description: Name of the resource being referred to.
654 type: string
655 request:
656 description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing.
657 type: string
658 format: byte
659 uid:
660 description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
661 type: string
662 usages:
663 description: Usages is the set of x509 usages that are requested for the certificate. If usages are set they SHOULD be encoded inside the CSR spec Defaults to `digital signature` and `key encipherment` if not specified.
664 type: array
665 items:
666 description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
667 type: string
668 enum:
669 - signing
670 - digital signature
671 - content commitment
672 - key encipherment
673 - key agreement
674 - data encipherment
675 - cert sign
676 - crl sign
677 - encipher only
678 - decipher only
679 - any
680 - server auth
681 - client auth
682 - code signing
683 - email protection
684 - s/mime
685 - ipsec end system
686 - ipsec tunnel
687 - ipsec user
688 - timestamping
689 - ocsp signing
690 - microsoft sgc
691 - netscape sgc
692 username:
693 description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
694 type: string
695 status:
696 description: Status of the CertificateRequest. This is set and managed automatically.
697 type: object
698 properties:
699 ca:
700 description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.
701 type: string
702 format: byte
703 certificate:
704 description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.
705 type: string
706 format: byte
707 conditions:
708 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
709 type: array
710 items:
711 description: CertificateRequestCondition contains condition information for a CertificateRequest.
712 type: object
713 required:
714 - status
715 - type
716 properties:
717 lastTransitionTime:
718 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
719 type: string
720 format: date-time
721 message:
722 description: Message is a human readable description of the details of the last transition, complementing reason.
723 type: string
724 reason:
725 description: Reason is a brief machine readable explanation for the condition's last transition.
726 type: string
727 status:
728 description: Status of the condition, one of (`True`, `False`, `Unknown`).
729 type: string
730 enum:
731 - "True"
732 - "False"
733 - Unknown
734 type:
735 description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
736 type: string
737 failureTime:
738 description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
739 type: string
740 format: date-time
741 served: true
742 storage: true
743---
744# Source: cert-manager/templates/templates.out
745apiVersion: apiextensions.k8s.io/v1
746kind: CustomResourceDefinition
747metadata:
748 name: certificates.cert-manager.io
749 annotations:
750 cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
751 labels:
752 app: 'cert-manager'
753 app.kubernetes.io/name: 'cert-manager'
754 app.kubernetes.io/instance: 'cert-manager'
755 # Generated labels
756 app.kubernetes.io/version: "v1.5.4"
757spec:
758 group: cert-manager.io
759 names:
760 kind: Certificate
761 listKind: CertificateList
762 plural: certificates
763 shortNames:
764 - cert
765 - certs
766 singular: certificate
767 categories:
768 - cert-manager
769 scope: Namespaced
770 conversion:
771 # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
772 strategy: Webhook
773 # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
774 webhook:
775 # We don't actually support `v1beta1` but is listed here as it is a
776 # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The
777 # API server reads the supported versions in order, so _should always_
778 # attempt a `v1` request which is understood by the cert-manager webhook.
779 # Any `v1beta1` request will return an error and fail closed for that
780 # resource (the whole object request is rejected).
781 # When we no longer support v1.16 we can remove `v1beta1` from this list.
782 conversionReviewVersions: ["v1", "v1beta1"]
783 clientConfig:
784 #
785 service:
786 name: 'cert-manager-webhook'
787 namespace: "cert-manager"
788 path: /convert
789 #
790 versions:
791 - name: v1alpha2
792 subresources:
793 status: {}
794 additionalPrinterColumns:
795 - jsonPath: .status.conditions[?(@.type=="Ready")].status
796 name: Ready
797 type: string
798 - jsonPath: .spec.secretName
799 name: Secret
800 type: string
801 - jsonPath: .spec.issuerRef.name
802 name: Issuer
803 priority: 1
804 type: string
805 - jsonPath: .status.conditions[?(@.type=="Ready")].message
806 name: Status
807 priority: 1
808 type: string
809 - jsonPath: .metadata.creationTimestamp
810 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
811 name: Age
812 type: date
813 schema:
814 openAPIV3Schema:
815 description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)."
816 type: object
817 properties:
818 apiVersion:
819 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
820 type: string
821 kind:
822 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
823 type: string
824 metadata:
825 type: object
826 spec:
827 description: Desired state of the Certificate resource.
828 type: object
829 required:
830 - issuerRef
831 - secretName
832 properties:
833 commonName:
834 description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
835 type: string
836 dnsNames:
837 description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate.
838 type: array
839 items:
840 type: string
841 duration:
842 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
843 type: string
844 emailSANs:
845 description: EmailSANs is a list of email subjectAltNames to be set on the Certificate.
846 type: array
847 items:
848 type: string
849 encodeUsagesInRequest:
850 description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest
851 type: boolean
852 ipAddresses:
853 description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
854 type: array
855 items:
856 type: string
857 isCA:
858 description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`.
859 type: boolean
860 issuerRef:
861 description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times.
862 type: object
863 required:
864 - name
865 properties:
866 group:
867 description: Group of the resource being referred to.
868 type: string
869 kind:
870 description: Kind of the resource being referred to.
871 type: string
872 name:
873 description: Name of the resource being referred to.
874 type: string
875 keyAlgorithm:
876 description: KeyAlgorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `rsa` or `ecdsa` If `keyAlgorithm` is specified and `keySize` is not provided, key size of 256 will be used for `ecdsa` key algorithm and key size of 2048 will be used for `rsa` key algorithm.
877 type: string
878 enum:
879 - rsa
880 - ecdsa
881 keyEncoding:
882 description: KeyEncoding is the private key cryptography standards (PKCS) for this certificate's private key to be encoded in. If provided, allowed values are `pkcs1` and `pkcs8` standing for PKCS#1 and PKCS#8, respectively. If KeyEncoding is not specified, then `pkcs1` will be used by default.
883 type: string
884 enum:
885 - pkcs1
886 - pkcs8
887 keySize:
888 description: KeySize is the key bit size of the corresponding private key for this certificate. If `keyAlgorithm` is set to `rsa`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `keyAlgorithm` is set to `ecdsa`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. No other values are allowed.
889 type: integer
890 keystores:
891 description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource.
892 type: object
893 properties:
894 jks:
895 description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource.
896 type: object
897 required:
898 - create
899 - passwordSecretRef
900 properties:
901 create:
902 description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance.
903 type: boolean
904 passwordSecretRef:
905 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore.
906 type: object
907 required:
908 - name
909 properties:
910 key:
911 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
912 type: string
913 name:
914 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
915 type: string
916 pkcs12:
917 description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource.
918 type: object
919 required:
920 - create
921 - passwordSecretRef
922 properties:
923 create:
924 description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance.
925 type: boolean
926 passwordSecretRef:
927 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore.
928 type: object
929 required:
930 - name
931 properties:
932 key:
933 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
934 type: string
935 name:
936 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
937 type: string
938 organization:
939 description: Organization is a list of organizations to be used on the Certificate.
940 type: array
941 items:
942 type: string
943 privateKey:
944 description: Options to control private keys used for the Certificate.
945 type: object
946 properties:
947 rotationPolicy:
948 description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility.
949 type: string
950 renewBefore:
951 description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
952 type: string
953 revisionHistoryLimit:
954 description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`.
955 type: integer
956 format: int32
957 secretName:
958 description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer.
959 type: string
960 secretTemplate:
961 description: SecretTemplate defines annotations and labels to be propagated to the Kubernetes Secret when it is created or updated. Once created, labels and annotations are not yet removed from the Secret when they are removed from the template. See https://github.com/jetstack/cert-manager/issues/4292
962 type: object
963 properties:
964 annotations:
965 description: Annotations is a key value map to be copied to the target Kubernetes Secret.
966 type: object
967 additionalProperties:
968 type: string
969 labels:
970 description: Labels is a key value map to be copied to the target Kubernetes Secret.
971 type: object
972 additionalProperties:
973 type: string
974 subject:
975 description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
976 type: object
977 properties:
978 countries:
979 description: Countries to be used on the Certificate.
980 type: array
981 items:
982 type: string
983 localities:
984 description: Cities to be used on the Certificate.
985 type: array
986 items:
987 type: string
988 organizationalUnits:
989 description: Organizational Units to be used on the Certificate.
990 type: array
991 items:
992 type: string
993 postalCodes:
994 description: Postal codes to be used on the Certificate.
995 type: array
996 items:
997 type: string
998 provinces:
999 description: State/Provinces to be used on the Certificate.
1000 type: array
1001 items:
1002 type: string
1003 serialNumber:
1004 description: Serial number to be used on the Certificate.
1005 type: string
1006 streetAddresses:
1007 description: Street addresses to be used on the Certificate.
1008 type: array
1009 items:
1010 type: string
1011 uriSANs:
1012 description: URISANs is a list of URI subjectAltNames to be set on the Certificate.
1013 type: array
1014 items:
1015 type: string
1016 usages:
1017 description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
1018 type: array
1019 items:
1020 description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
1021 type: string
1022 enum:
1023 - signing
1024 - digital signature
1025 - content commitment
1026 - key encipherment
1027 - key agreement
1028 - data encipherment
1029 - cert sign
1030 - crl sign
1031 - encipher only
1032 - decipher only
1033 - any
1034 - server auth
1035 - client auth
1036 - code signing
1037 - email protection
1038 - s/mime
1039 - ipsec end system
1040 - ipsec tunnel
1041 - ipsec user
1042 - timestamping
1043 - ocsp signing
1044 - microsoft sgc
1045 - netscape sgc
1046 status:
1047 description: Status of the Certificate. This is set and managed automatically.
1048 type: object
1049 properties:
1050 conditions:
1051 description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`.
1052 type: array
1053 items:
1054 description: CertificateCondition contains condition information for an Certificate.
1055 type: object
1056 required:
1057 - status
1058 - type
1059 properties:
1060 lastTransitionTime:
1061 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
1062 type: string
1063 format: date-time
1064 message:
1065 description: Message is a human readable description of the details of the last transition, complementing reason.
1066 type: string
1067 observedGeneration:
1068 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate.
1069 type: integer
1070 format: int64
1071 reason:
1072 description: Reason is a brief machine readable explanation for the condition's last transition.
1073 type: string
1074 status:
1075 description: Status of the condition, one of (`True`, `False`, `Unknown`).
1076 type: string
1077 enum:
1078 - "True"
1079 - "False"
1080 - Unknown
1081 type:
1082 description: Type of the condition, known values are (`Ready`, `Issuing`).
1083 type: string
1084 lastFailureTime:
1085 description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time.
1086 type: string
1087 format: date-time
1088 nextPrivateKeySecretName:
1089 description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False.
1090 type: string
1091 notAfter:
1092 description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`.
1093 type: string
1094 format: date-time
1095 notBefore:
1096 description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid.
1097 type: string
1098 format: date-time
1099 renewalTime:
1100 description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled.
1101 type: string
1102 format: date-time
1103 revision:
1104 description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field."
1105 type: integer
1106 served: true
1107 storage: false
1108 - name: v1alpha3
1109 subresources:
1110 status: {}
1111 additionalPrinterColumns:
1112 - jsonPath: .status.conditions[?(@.type=="Ready")].status
1113 name: Ready
1114 type: string
1115 - jsonPath: .spec.secretName
1116 name: Secret
1117 type: string
1118 - jsonPath: .spec.issuerRef.name
1119 name: Issuer
1120 priority: 1
1121 type: string
1122 - jsonPath: .status.conditions[?(@.type=="Ready")].message
1123 name: Status
1124 priority: 1
1125 type: string
1126 - jsonPath: .metadata.creationTimestamp
1127 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
1128 name: Age
1129 type: date
1130 schema:
1131 openAPIV3Schema:
1132 description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)."
1133 type: object
1134 properties:
1135 apiVersion:
1136 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1137 type: string
1138 kind:
1139 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1140 type: string
1141 metadata:
1142 type: object
1143 spec:
1144 description: Desired state of the Certificate resource.
1145 type: object
1146 required:
1147 - issuerRef
1148 - secretName
1149 properties:
1150 commonName:
1151 description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
1152 type: string
1153 dnsNames:
1154 description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate.
1155 type: array
1156 items:
1157 type: string
1158 duration:
1159 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
1160 type: string
1161 emailSANs:
1162 description: EmailSANs is a list of email subjectAltNames to be set on the Certificate.
1163 type: array
1164 items:
1165 type: string
1166 encodeUsagesInRequest:
1167 description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest
1168 type: boolean
1169 ipAddresses:
1170 description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
1171 type: array
1172 items:
1173 type: string
1174 isCA:
1175 description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`.
1176 type: boolean
1177 issuerRef:
1178 description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times.
1179 type: object
1180 required:
1181 - name
1182 properties:
1183 group:
1184 description: Group of the resource being referred to.
1185 type: string
1186 kind:
1187 description: Kind of the resource being referred to.
1188 type: string
1189 name:
1190 description: Name of the resource being referred to.
1191 type: string
1192 keyAlgorithm:
1193 description: KeyAlgorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `rsa` or `ecdsa` If `keyAlgorithm` is specified and `keySize` is not provided, key size of 256 will be used for `ecdsa` key algorithm and key size of 2048 will be used for `rsa` key algorithm.
1194 type: string
1195 enum:
1196 - rsa
1197 - ecdsa
1198 keyEncoding:
1199 description: KeyEncoding is the private key cryptography standards (PKCS) for this certificate's private key to be encoded in. If provided, allowed values are `pkcs1` and `pkcs8` standing for PKCS#1 and PKCS#8, respectively. If KeyEncoding is not specified, then `pkcs1` will be used by default.
1200 type: string
1201 enum:
1202 - pkcs1
1203 - pkcs8
1204 keySize:
1205 description: KeySize is the key bit size of the corresponding private key for this certificate. If `keyAlgorithm` is set to `rsa`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `keyAlgorithm` is set to `ecdsa`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. No other values are allowed.
1206 type: integer
1207 keystores:
1208 description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource.
1209 type: object
1210 properties:
1211 jks:
1212 description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource.
1213 type: object
1214 required:
1215 - create
1216 - passwordSecretRef
1217 properties:
1218 create:
1219 description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority.
1220 type: boolean
1221 passwordSecretRef:
1222 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore.
1223 type: object
1224 required:
1225 - name
1226 properties:
1227 key:
1228 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1229 type: string
1230 name:
1231 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1232 type: string
1233 pkcs12:
1234 description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource.
1235 type: object
1236 required:
1237 - create
1238 - passwordSecretRef
1239 properties:
1240 create:
1241 description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority.
1242 type: boolean
1243 passwordSecretRef:
1244 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore.
1245 type: object
1246 required:
1247 - name
1248 properties:
1249 key:
1250 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1251 type: string
1252 name:
1253 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1254 type: string
1255 privateKey:
1256 description: Options to control private keys used for the Certificate.
1257 type: object
1258 properties:
1259 rotationPolicy:
1260 description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility.
1261 type: string
1262 renewBefore:
1263 description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
1264 type: string
1265 revisionHistoryLimit:
1266 description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`.
1267 type: integer
1268 format: int32
1269 secretName:
1270 description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer.
1271 type: string
1272 secretTemplate:
1273 description: SecretTemplate defines annotations and labels to be propagated to the Kubernetes Secret when it is created or updated. Once created, labels and annotations are not yet removed from the Secret when they are removed from the template. See https://github.com/jetstack/cert-manager/issues/4292
1274 type: object
1275 properties:
1276 annotations:
1277 description: Annotations is a key value map to be copied to the target Kubernetes Secret.
1278 type: object
1279 additionalProperties:
1280 type: string
1281 labels:
1282 description: Labels is a key value map to be copied to the target Kubernetes Secret.
1283 type: object
1284 additionalProperties:
1285 type: string
1286 subject:
1287 description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
1288 type: object
1289 properties:
1290 countries:
1291 description: Countries to be used on the Certificate.
1292 type: array
1293 items:
1294 type: string
1295 localities:
1296 description: Cities to be used on the Certificate.
1297 type: array
1298 items:
1299 type: string
1300 organizationalUnits:
1301 description: Organizational Units to be used on the Certificate.
1302 type: array
1303 items:
1304 type: string
1305 organizations:
1306 description: Organizations to be used on the Certificate.
1307 type: array
1308 items:
1309 type: string
1310 postalCodes:
1311 description: Postal codes to be used on the Certificate.
1312 type: array
1313 items:
1314 type: string
1315 provinces:
1316 description: State/Provinces to be used on the Certificate.
1317 type: array
1318 items:
1319 type: string
1320 serialNumber:
1321 description: Serial number to be used on the Certificate.
1322 type: string
1323 streetAddresses:
1324 description: Street addresses to be used on the Certificate.
1325 type: array
1326 items:
1327 type: string
1328 uriSANs:
1329 description: URISANs is a list of URI subjectAltNames to be set on the Certificate.
1330 type: array
1331 items:
1332 type: string
1333 usages:
1334 description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
1335 type: array
1336 items:
1337 description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
1338 type: string
1339 enum:
1340 - signing
1341 - digital signature
1342 - content commitment
1343 - key encipherment
1344 - key agreement
1345 - data encipherment
1346 - cert sign
1347 - crl sign
1348 - encipher only
1349 - decipher only
1350 - any
1351 - server auth
1352 - client auth
1353 - code signing
1354 - email protection
1355 - s/mime
1356 - ipsec end system
1357 - ipsec tunnel
1358 - ipsec user
1359 - timestamping
1360 - ocsp signing
1361 - microsoft sgc
1362 - netscape sgc
1363 status:
1364 description: Status of the Certificate. This is set and managed automatically.
1365 type: object
1366 properties:
1367 conditions:
1368 description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`.
1369 type: array
1370 items:
1371 description: CertificateCondition contains condition information for an Certificate.
1372 type: object
1373 required:
1374 - status
1375 - type
1376 properties:
1377 lastTransitionTime:
1378 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
1379 type: string
1380 format: date-time
1381 message:
1382 description: Message is a human readable description of the details of the last transition, complementing reason.
1383 type: string
1384 observedGeneration:
1385 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate.
1386 type: integer
1387 format: int64
1388 reason:
1389 description: Reason is a brief machine readable explanation for the condition's last transition.
1390 type: string
1391 status:
1392 description: Status of the condition, one of (`True`, `False`, `Unknown`).
1393 type: string
1394 enum:
1395 - "True"
1396 - "False"
1397 - Unknown
1398 type:
1399 description: Type of the condition, known values are (`Ready`, `Issuing`).
1400 type: string
1401 lastFailureTime:
1402 description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time.
1403 type: string
1404 format: date-time
1405 nextPrivateKeySecretName:
1406 description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False.
1407 type: string
1408 notAfter:
1409 description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`.
1410 type: string
1411 format: date-time
1412 notBefore:
1413 description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid.
1414 type: string
1415 format: date-time
1416 renewalTime:
1417 description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled.
1418 type: string
1419 format: date-time
1420 revision:
1421 description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field."
1422 type: integer
1423 served: true
1424 storage: false
1425 - name: v1beta1
1426 subresources:
1427 status: {}
1428 additionalPrinterColumns:
1429 - jsonPath: .status.conditions[?(@.type=="Ready")].status
1430 name: Ready
1431 type: string
1432 - jsonPath: .spec.secretName
1433 name: Secret
1434 type: string
1435 - jsonPath: .spec.issuerRef.name
1436 name: Issuer
1437 priority: 1
1438 type: string
1439 - jsonPath: .status.conditions[?(@.type=="Ready")].message
1440 name: Status
1441 priority: 1
1442 type: string
1443 - jsonPath: .metadata.creationTimestamp
1444 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
1445 name: Age
1446 type: date
1447 schema:
1448 openAPIV3Schema:
1449 description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)."
1450 type: object
1451 required:
1452 - spec
1453 properties:
1454 apiVersion:
1455 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1456 type: string
1457 kind:
1458 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1459 type: string
1460 metadata:
1461 type: object
1462 spec:
1463 description: Desired state of the Certificate resource.
1464 type: object
1465 required:
1466 - issuerRef
1467 - secretName
1468 properties:
1469 commonName:
1470 description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
1471 type: string
1472 dnsNames:
1473 description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate.
1474 type: array
1475 items:
1476 type: string
1477 duration:
1478 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
1479 type: string
1480 emailSANs:
1481 description: EmailSANs is a list of email subjectAltNames to be set on the Certificate.
1482 type: array
1483 items:
1484 type: string
1485 encodeUsagesInRequest:
1486 description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest
1487 type: boolean
1488 ipAddresses:
1489 description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
1490 type: array
1491 items:
1492 type: string
1493 isCA:
1494 description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`.
1495 type: boolean
1496 issuerRef:
1497 description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times.
1498 type: object
1499 required:
1500 - name
1501 properties:
1502 group:
1503 description: Group of the resource being referred to.
1504 type: string
1505 kind:
1506 description: Kind of the resource being referred to.
1507 type: string
1508 name:
1509 description: Name of the resource being referred to.
1510 type: string
1511 keystores:
1512 description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource.
1513 type: object
1514 properties:
1515 jks:
1516 description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource.
1517 type: object
1518 required:
1519 - create
1520 - passwordSecretRef
1521 properties:
1522 create:
1523 description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance.
1524 type: boolean
1525 passwordSecretRef:
1526 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore.
1527 type: object
1528 required:
1529 - name
1530 properties:
1531 key:
1532 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1533 type: string
1534 name:
1535 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1536 type: string
1537 pkcs12:
1538 description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource.
1539 type: object
1540 required:
1541 - create
1542 - passwordSecretRef
1543 properties:
1544 create:
1545 description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance.
1546 type: boolean
1547 passwordSecretRef:
1548 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore.
1549 type: object
1550 required:
1551 - name
1552 properties:
1553 key:
1554 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1555 type: string
1556 name:
1557 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1558 type: string
1559 privateKey:
1560 description: Options to control private keys used for the Certificate.
1561 type: object
1562 properties:
1563 algorithm:
1564 description: Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `RSA` or `ECDSA` If `algorithm` is specified and `size` is not provided, key size of 256 will be used for `ECDSA` key algorithm and key size of 2048 will be used for `RSA` key algorithm.
1565 type: string
1566 enum:
1567 - RSA
1568 - ECDSA
1569 encoding:
1570 description: The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified.
1571 type: string
1572 enum:
1573 - PKCS1
1574 - PKCS8
1575 rotationPolicy:
1576 description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility.
1577 type: string
1578 size:
1579 description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. No other values are allowed.
1580 type: integer
1581 renewBefore:
1582 description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
1583 type: string
1584 revisionHistoryLimit:
1585 description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`.
1586 type: integer
1587 format: int32
1588 secretName:
1589 description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer.
1590 type: string
1591 secretTemplate:
1592 description: SecretTemplate defines annotations and labels to be propagated to the Kubernetes Secret when it is created or updated. Once created, labels and annotations are not yet removed from the Secret when they are removed from the template. See https://github.com/jetstack/cert-manager/issues/4292
1593 type: object
1594 properties:
1595 annotations:
1596 description: Annotations is a key value map to be copied to the target Kubernetes Secret.
1597 type: object
1598 additionalProperties:
1599 type: string
1600 labels:
1601 description: Labels is a key value map to be copied to the target Kubernetes Secret.
1602 type: object
1603 additionalProperties:
1604 type: string
1605 subject:
1606 description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
1607 type: object
1608 properties:
1609 countries:
1610 description: Countries to be used on the Certificate.
1611 type: array
1612 items:
1613 type: string
1614 localities:
1615 description: Cities to be used on the Certificate.
1616 type: array
1617 items:
1618 type: string
1619 organizationalUnits:
1620 description: Organizational Units to be used on the Certificate.
1621 type: array
1622 items:
1623 type: string
1624 organizations:
1625 description: Organizations to be used on the Certificate.
1626 type: array
1627 items:
1628 type: string
1629 postalCodes:
1630 description: Postal codes to be used on the Certificate.
1631 type: array
1632 items:
1633 type: string
1634 provinces:
1635 description: State/Provinces to be used on the Certificate.
1636 type: array
1637 items:
1638 type: string
1639 serialNumber:
1640 description: Serial number to be used on the Certificate.
1641 type: string
1642 streetAddresses:
1643 description: Street addresses to be used on the Certificate.
1644 type: array
1645 items:
1646 type: string
1647 uriSANs:
1648 description: URISANs is a list of URI subjectAltNames to be set on the Certificate.
1649 type: array
1650 items:
1651 type: string
1652 usages:
1653 description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
1654 type: array
1655 items:
1656 description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
1657 type: string
1658 enum:
1659 - signing
1660 - digital signature
1661 - content commitment
1662 - key encipherment
1663 - key agreement
1664 - data encipherment
1665 - cert sign
1666 - crl sign
1667 - encipher only
1668 - decipher only
1669 - any
1670 - server auth
1671 - client auth
1672 - code signing
1673 - email protection
1674 - s/mime
1675 - ipsec end system
1676 - ipsec tunnel
1677 - ipsec user
1678 - timestamping
1679 - ocsp signing
1680 - microsoft sgc
1681 - netscape sgc
1682 status:
1683 description: Status of the Certificate. This is set and managed automatically.
1684 type: object
1685 properties:
1686 conditions:
1687 description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`.
1688 type: array
1689 items:
1690 description: CertificateCondition contains condition information for an Certificate.
1691 type: object
1692 required:
1693 - status
1694 - type
1695 properties:
1696 lastTransitionTime:
1697 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
1698 type: string
1699 format: date-time
1700 message:
1701 description: Message is a human readable description of the details of the last transition, complementing reason.
1702 type: string
1703 observedGeneration:
1704 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate.
1705 type: integer
1706 format: int64
1707 reason:
1708 description: Reason is a brief machine readable explanation for the condition's last transition.
1709 type: string
1710 status:
1711 description: Status of the condition, one of (`True`, `False`, `Unknown`).
1712 type: string
1713 enum:
1714 - "True"
1715 - "False"
1716 - Unknown
1717 type:
1718 description: Type of the condition, known values are (`Ready`, `Issuing`).
1719 type: string
1720 lastFailureTime:
1721 description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time.
1722 type: string
1723 format: date-time
1724 nextPrivateKeySecretName:
1725 description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False.
1726 type: string
1727 notAfter:
1728 description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`.
1729 type: string
1730 format: date-time
1731 notBefore:
1732 description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid.
1733 type: string
1734 format: date-time
1735 renewalTime:
1736 description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled.
1737 type: string
1738 format: date-time
1739 revision:
1740 description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field."
1741 type: integer
1742 served: true
1743 storage: false
1744 - name: v1
1745 subresources:
1746 status: {}
1747 additionalPrinterColumns:
1748 - jsonPath: .status.conditions[?(@.type=="Ready")].status
1749 name: Ready
1750 type: string
1751 - jsonPath: .spec.secretName
1752 name: Secret
1753 type: string
1754 - jsonPath: .spec.issuerRef.name
1755 name: Issuer
1756 priority: 1
1757 type: string
1758 - jsonPath: .status.conditions[?(@.type=="Ready")].message
1759 name: Status
1760 priority: 1
1761 type: string
1762 - jsonPath: .metadata.creationTimestamp
1763 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
1764 name: Age
1765 type: date
1766 schema:
1767 openAPIV3Schema:
1768 description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)."
1769 type: object
1770 required:
1771 - spec
1772 properties:
1773 apiVersion:
1774 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1775 type: string
1776 kind:
1777 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1778 type: string
1779 metadata:
1780 type: object
1781 spec:
1782 description: Desired state of the Certificate resource.
1783 type: object
1784 required:
1785 - issuerRef
1786 - secretName
1787 properties:
1788 commonName:
1789 description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
1790 type: string
1791 dnsNames:
1792 description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate.
1793 type: array
1794 items:
1795 type: string
1796 duration:
1797 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
1798 type: string
1799 emailAddresses:
1800 description: EmailAddresses is a list of email subjectAltNames to be set on the Certificate.
1801 type: array
1802 items:
1803 type: string
1804 encodeUsagesInRequest:
1805 description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest
1806 type: boolean
1807 ipAddresses:
1808 description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
1809 type: array
1810 items:
1811 type: string
1812 isCA:
1813 description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`.
1814 type: boolean
1815 issuerRef:
1816 description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times.
1817 type: object
1818 required:
1819 - name
1820 properties:
1821 group:
1822 description: Group of the resource being referred to.
1823 type: string
1824 kind:
1825 description: Kind of the resource being referred to.
1826 type: string
1827 name:
1828 description: Name of the resource being referred to.
1829 type: string
1830 keystores:
1831 description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource.
1832 type: object
1833 properties:
1834 jks:
1835 description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource.
1836 type: object
1837 required:
1838 - create
1839 - passwordSecretRef
1840 properties:
1841 create:
1842 description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority
1843 type: boolean
1844 passwordSecretRef:
1845 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore.
1846 type: object
1847 required:
1848 - name
1849 properties:
1850 key:
1851 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1852 type: string
1853 name:
1854 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1855 type: string
1856 pkcs12:
1857 description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource.
1858 type: object
1859 required:
1860 - create
1861 - passwordSecretRef
1862 properties:
1863 create:
1864 description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority
1865 type: boolean
1866 passwordSecretRef:
1867 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore.
1868 type: object
1869 required:
1870 - name
1871 properties:
1872 key:
1873 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1874 type: string
1875 name:
1876 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1877 type: string
1878 privateKey:
1879 description: Options to control private keys used for the Certificate.
1880 type: object
1881 properties:
1882 algorithm:
1883 description: Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified and `size` is not provided, key size of 256 will be used for `ECDSA` key algorithm and key size of 2048 will be used for `RSA` key algorithm. key size is ignored when using the `Ed25519` key algorithm.
1884 type: string
1885 enum:
1886 - RSA
1887 - ECDSA
1888 - Ed25519
1889 encoding:
1890 description: The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified.
1891 type: string
1892 enum:
1893 - PKCS1
1894 - PKCS8
1895 rotationPolicy:
1896 description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility.
1897 type: string
1898 size:
1899 description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed.
1900 type: integer
1901 renewBefore:
1902 description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
1903 type: string
1904 revisionHistoryLimit:
1905 description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`.
1906 type: integer
1907 format: int32
1908 secretName:
1909 description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer.
1910 type: string
1911 secretTemplate:
1912 description: SecretTemplate defines annotations and labels to be propagated to the Kubernetes Secret when it is created or updated. Once created, labels and annotations are not yet removed from the Secret when they are removed from the template. See https://github.com/jetstack/cert-manager/issues/4292
1913 type: object
1914 properties:
1915 annotations:
1916 description: Annotations is a key value map to be copied to the target Kubernetes Secret.
1917 type: object
1918 additionalProperties:
1919 type: string
1920 labels:
1921 description: Labels is a key value map to be copied to the target Kubernetes Secret.
1922 type: object
1923 additionalProperties:
1924 type: string
1925 subject:
1926 description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
1927 type: object
1928 properties:
1929 countries:
1930 description: Countries to be used on the Certificate.
1931 type: array
1932 items:
1933 type: string
1934 localities:
1935 description: Cities to be used on the Certificate.
1936 type: array
1937 items:
1938 type: string
1939 organizationalUnits:
1940 description: Organizational Units to be used on the Certificate.
1941 type: array
1942 items:
1943 type: string
1944 organizations:
1945 description: Organizations to be used on the Certificate.
1946 type: array
1947 items:
1948 type: string
1949 postalCodes:
1950 description: Postal codes to be used on the Certificate.
1951 type: array
1952 items:
1953 type: string
1954 provinces:
1955 description: State/Provinces to be used on the Certificate.
1956 type: array
1957 items:
1958 type: string
1959 serialNumber:
1960 description: Serial number to be used on the Certificate.
1961 type: string
1962 streetAddresses:
1963 description: Street addresses to be used on the Certificate.
1964 type: array
1965 items:
1966 type: string
1967 uris:
1968 description: URIs is a list of URI subjectAltNames to be set on the Certificate.
1969 type: array
1970 items:
1971 type: string
1972 usages:
1973 description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
1974 type: array
1975 items:
1976 description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
1977 type: string
1978 enum:
1979 - signing
1980 - digital signature
1981 - content commitment
1982 - key encipherment
1983 - key agreement
1984 - data encipherment
1985 - cert sign
1986 - crl sign
1987 - encipher only
1988 - decipher only
1989 - any
1990 - server auth
1991 - client auth
1992 - code signing
1993 - email protection
1994 - s/mime
1995 - ipsec end system
1996 - ipsec tunnel
1997 - ipsec user
1998 - timestamping
1999 - ocsp signing
2000 - microsoft sgc
2001 - netscape sgc
2002 status:
2003 description: Status of the Certificate. This is set and managed automatically.
2004 type: object
2005 properties:
2006 conditions:
2007 description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`.
2008 type: array
2009 items:
2010 description: CertificateCondition contains condition information for an Certificate.
2011 type: object
2012 required:
2013 - status
2014 - type
2015 properties:
2016 lastTransitionTime:
2017 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
2018 type: string
2019 format: date-time
2020 message:
2021 description: Message is a human readable description of the details of the last transition, complementing reason.
2022 type: string
2023 observedGeneration:
2024 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate.
2025 type: integer
2026 format: int64
2027 reason:
2028 description: Reason is a brief machine readable explanation for the condition's last transition.
2029 type: string
2030 status:
2031 description: Status of the condition, one of (`True`, `False`, `Unknown`).
2032 type: string
2033 enum:
2034 - "True"
2035 - "False"
2036 - Unknown
2037 type:
2038 description: Type of the condition, known values are (`Ready`, `Issuing`).
2039 type: string
2040 lastFailureTime:
2041 description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time.
2042 type: string
2043 format: date-time
2044 nextPrivateKeySecretName:
2045 description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False.
2046 type: string
2047 notAfter:
2048 description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`.
2049 type: string
2050 format: date-time
2051 notBefore:
2052 description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid.
2053 type: string
2054 format: date-time
2055 renewalTime:
2056 description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled.
2057 type: string
2058 format: date-time
2059 revision:
2060 description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field."
2061 type: integer
2062 served: true
2063 storage: true
2064---
2065# Source: cert-manager/templates/templates.out
2066apiVersion: apiextensions.k8s.io/v1
2067kind: CustomResourceDefinition
2068metadata:
2069 name: challenges.acme.cert-manager.io
2070 annotations:
2071 cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
2072 labels:
2073 app: 'cert-manager'
2074 app.kubernetes.io/name: 'cert-manager'
2075 app.kubernetes.io/instance: 'cert-manager'
2076 # Generated labels
2077 app.kubernetes.io/version: "v1.5.4"
2078spec:
2079 group: acme.cert-manager.io
2080 names:
2081 kind: Challenge
2082 listKind: ChallengeList
2083 plural: challenges
2084 singular: challenge
2085 categories:
2086 - cert-manager
2087 - cert-manager-acme
2088 scope: Namespaced
2089 conversion:
2090 # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
2091 strategy: Webhook
2092 # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
2093 webhook:
2094 # We don't actually support `v1beta1` but is listed here as it is a
2095 # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The
2096 # API server reads the supported versions in order, so _should always_
2097 # attempt a `v1` request which is understood by the cert-manager webhook.
2098 # Any `v1beta1` request will return an error and fail closed for that
2099 # resource (the whole object request is rejected).
2100 # When we no longer support v1.16 we can remove `v1beta1` from this list.
2101 conversionReviewVersions: ["v1", "v1beta1"]
2102 clientConfig:
2103 #
2104 service:
2105 name: 'cert-manager-webhook'
2106 namespace: "cert-manager"
2107 path: /convert
2108 #
2109 versions:
2110 - additionalPrinterColumns:
2111 - jsonPath: .status.state
2112 name: State
2113 type: string
2114 - jsonPath: .spec.dnsName
2115 name: Domain
2116 type: string
2117 - jsonPath: .status.reason
2118 name: Reason
2119 priority: 1
2120 type: string
2121 - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
2122 jsonPath: .metadata.creationTimestamp
2123 name: Age
2124 type: date
2125 name: v1alpha2
2126 schema:
2127 openAPIV3Schema:
2128 description: Challenge is a type to represent a Challenge request with an ACME server
2129 type: object
2130 required:
2131 - metadata
2132 properties:
2133 apiVersion:
2134 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2135 type: string
2136 kind:
2137 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2138 type: string
2139 metadata:
2140 type: object
2141 spec:
2142 type: object
2143 required:
2144 - authzURL
2145 - dnsName
2146 - issuerRef
2147 - key
2148 - solver
2149 - token
2150 - type
2151 - url
2152 properties:
2153 authzURL:
2154 description: AuthzURL is the URL to the ACME Authorization resource that this challenge is a part of.
2155 type: string
2156 dnsName:
2157 description: DNSName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
2158 type: string
2159 issuerRef:
2160 description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed.
2161 type: object
2162 required:
2163 - name
2164 properties:
2165 group:
2166 description: Group of the resource being referred to.
2167 type: string
2168 kind:
2169 description: Kind of the resource being referred to.
2170 type: string
2171 name:
2172 description: Name of the resource being referred to.
2173 type: string
2174 key:
2175 description: 'Key is the ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key from acme server for challenge>`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key from acme server for challenge>` text that must be set as the TXT record content.'
2176 type: string
2177 solver:
2178 description: Solver contains the domain solving configuration that should be used to solve this challenge resource.
2179 type: object
2180 properties:
2181 dns01:
2182 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
2183 type: object
2184 properties:
2185 acmedns:
2186 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
2187 type: object
2188 required:
2189 - accountSecretRef
2190 - host
2191 properties:
2192 accountSecretRef:
2193 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
2194 type: object
2195 required:
2196 - name
2197 properties:
2198 key:
2199 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2200 type: string
2201 name:
2202 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2203 type: string
2204 host:
2205 type: string
2206 akamai:
2207 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
2208 type: object
2209 required:
2210 - accessTokenSecretRef
2211 - clientSecretSecretRef
2212 - clientTokenSecretRef
2213 - serviceConsumerDomain
2214 properties:
2215 accessTokenSecretRef:
2216 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
2217 type: object
2218 required:
2219 - name
2220 properties:
2221 key:
2222 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2223 type: string
2224 name:
2225 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2226 type: string
2227 clientSecretSecretRef:
2228 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
2229 type: object
2230 required:
2231 - name
2232 properties:
2233 key:
2234 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2235 type: string
2236 name:
2237 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2238 type: string
2239 clientTokenSecretRef:
2240 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
2241 type: object
2242 required:
2243 - name
2244 properties:
2245 key:
2246 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2247 type: string
2248 name:
2249 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2250 type: string
2251 serviceConsumerDomain:
2252 type: string
2253 azuredns:
2254 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
2255 type: object
2256 required:
2257 - resourceGroupName
2258 - subscriptionID
2259 properties:
2260 clientID:
2261 description: if both this and ClientSecret are left unset MSI will be used
2262 type: string
2263 clientSecretSecretRef:
2264 description: if both this and ClientID are left unset MSI will be used
2265 type: object
2266 required:
2267 - name
2268 properties:
2269 key:
2270 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2271 type: string
2272 name:
2273 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2274 type: string
2275 environment:
2276 type: string
2277 enum:
2278 - AzurePublicCloud
2279 - AzureChinaCloud
2280 - AzureGermanCloud
2281 - AzureUSGovernmentCloud
2282 hostedZoneName:
2283 type: string
2284 resourceGroupName:
2285 type: string
2286 subscriptionID:
2287 type: string
2288 tenantID:
2289 description: when specifying ClientID and ClientSecret then this field is also needed
2290 type: string
2291 clouddns:
2292 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
2293 type: object
2294 required:
2295 - project
2296 properties:
2297 hostedZoneName:
2298 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
2299 type: string
2300 project:
2301 type: string
2302 serviceAccountSecretRef:
2303 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
2304 type: object
2305 required:
2306 - name
2307 properties:
2308 key:
2309 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2310 type: string
2311 name:
2312 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2313 type: string
2314 cloudflare:
2315 description: Use the Cloudflare API to manage DNS01 challenge records.
2316 type: object
2317 properties:
2318 apiKeySecretRef:
2319 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
2320 type: object
2321 required:
2322 - name
2323 properties:
2324 key:
2325 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2326 type: string
2327 name:
2328 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2329 type: string
2330 apiTokenSecretRef:
2331 description: API token used to authenticate with Cloudflare.
2332 type: object
2333 required:
2334 - name
2335 properties:
2336 key:
2337 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2338 type: string
2339 name:
2340 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2341 type: string
2342 email:
2343 description: Email of the account, only required when using API key based authentication.
2344 type: string
2345 cnameStrategy:
2346 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
2347 type: string
2348 enum:
2349 - None
2350 - Follow
2351 digitalocean:
2352 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
2353 type: object
2354 required:
2355 - tokenSecretRef
2356 properties:
2357 tokenSecretRef:
2358 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
2359 type: object
2360 required:
2361 - name
2362 properties:
2363 key:
2364 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2365 type: string
2366 name:
2367 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2368 type: string
2369 rfc2136:
2370 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
2371 type: object
2372 required:
2373 - nameserver
2374 properties:
2375 nameserver:
2376 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
2377 type: string
2378 tsigAlgorithm:
2379 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
2380 type: string
2381 tsigKeyName:
2382 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
2383 type: string
2384 tsigSecretSecretRef:
2385 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
2386 type: object
2387 required:
2388 - name
2389 properties:
2390 key:
2391 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2392 type: string
2393 name:
2394 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2395 type: string
2396 route53:
2397 description: Use the AWS Route53 API to manage DNS01 challenge records.
2398 type: object
2399 required:
2400 - region
2401 properties:
2402 accessKeyID:
2403 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
2404 type: string
2405 hostedZoneID:
2406 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
2407 type: string
2408 region:
2409 description: Always set the region when using AccessKeyID and SecretAccessKey
2410 type: string
2411 role:
2412 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
2413 type: string
2414 secretAccessKeySecretRef:
2415 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
2416 type: object
2417 required:
2418 - name
2419 properties:
2420 key:
2421 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2422 type: string
2423 name:
2424 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2425 type: string
2426 webhook:
2427 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
2428 type: object
2429 required:
2430 - groupName
2431 - solverName
2432 properties:
2433 config:
2434 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
2435 x-kubernetes-preserve-unknown-fields: true
2436 groupName:
2437 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
2438 type: string
2439 solverName:
2440 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
2441 type: string
2442 http01:
2443 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
2444 type: object
2445 properties:
2446 gatewayHTTPRoute:
2447 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
2448 type: object
2449 properties:
2450 labels:
2451 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
2452 type: object
2453 additionalProperties:
2454 type: string
2455 serviceType:
2456 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
2457 type: string
2458 ingress:
2459 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
2460 type: object
2461 properties:
2462 class:
2463 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
2464 type: string
2465 ingressTemplate:
2466 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges
2467 type: object
2468 properties:
2469 metadata:
2470 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
2471 type: object
2472 properties:
2473 annotations:
2474 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
2475 type: object
2476 additionalProperties:
2477 type: string
2478 labels:
2479 description: Labels that should be added to the created ACME HTTP01 solver ingress.
2480 type: object
2481 additionalProperties:
2482 type: string
2483 name:
2484 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
2485 type: string
2486 podTemplate:
2487 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
2488 type: object
2489 properties:
2490 metadata:
2491 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
2492 type: object
2493 properties:
2494 annotations:
2495 description: Annotations that should be added to the create ACME HTTP01 solver pods.
2496 type: object
2497 additionalProperties:
2498 type: string
2499 labels:
2500 description: Labels that should be added to the created ACME HTTP01 solver pods.
2501 type: object
2502 additionalProperties:
2503 type: string
2504 spec:
2505 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
2506 type: object
2507 properties:
2508 affinity:
2509 description: If specified, the pod's scheduling constraints
2510 type: object
2511 properties:
2512 nodeAffinity:
2513 description: Describes node affinity scheduling rules for the pod.
2514 type: object
2515 properties:
2516 preferredDuringSchedulingIgnoredDuringExecution:
2517 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
2518 type: array
2519 items:
2520 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
2521 type: object
2522 required:
2523 - preference
2524 - weight
2525 properties:
2526 preference:
2527 description: A node selector term, associated with the corresponding weight.
2528 type: object
2529 properties:
2530 matchExpressions:
2531 description: A list of node selector requirements by node's labels.
2532 type: array
2533 items:
2534 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2535 type: object
2536 required:
2537 - key
2538 - operator
2539 properties:
2540 key:
2541 description: The label key that the selector applies to.
2542 type: string
2543 operator:
2544 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2545 type: string
2546 values:
2547 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
2548 type: array
2549 items:
2550 type: string
2551 matchFields:
2552 description: A list of node selector requirements by node's fields.
2553 type: array
2554 items:
2555 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2556 type: object
2557 required:
2558 - key
2559 - operator
2560 properties:
2561 key:
2562 description: The label key that the selector applies to.
2563 type: string
2564 operator:
2565 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2566 type: string
2567 values:
2568 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
2569 type: array
2570 items:
2571 type: string
2572 weight:
2573 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
2574 type: integer
2575 format: int32
2576 requiredDuringSchedulingIgnoredDuringExecution:
2577 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
2578 type: object
2579 required:
2580 - nodeSelectorTerms
2581 properties:
2582 nodeSelectorTerms:
2583 description: Required. A list of node selector terms. The terms are ORed.
2584 type: array
2585 items:
2586 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
2587 type: object
2588 properties:
2589 matchExpressions:
2590 description: A list of node selector requirements by node's labels.
2591 type: array
2592 items:
2593 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2594 type: object
2595 required:
2596 - key
2597 - operator
2598 properties:
2599 key:
2600 description: The label key that the selector applies to.
2601 type: string
2602 operator:
2603 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2604 type: string
2605 values:
2606 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
2607 type: array
2608 items:
2609 type: string
2610 matchFields:
2611 description: A list of node selector requirements by node's fields.
2612 type: array
2613 items:
2614 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2615 type: object
2616 required:
2617 - key
2618 - operator
2619 properties:
2620 key:
2621 description: The label key that the selector applies to.
2622 type: string
2623 operator:
2624 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2625 type: string
2626 values:
2627 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
2628 type: array
2629 items:
2630 type: string
2631 podAffinity:
2632 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
2633 type: object
2634 properties:
2635 preferredDuringSchedulingIgnoredDuringExecution:
2636 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
2637 type: array
2638 items:
2639 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
2640 type: object
2641 required:
2642 - podAffinityTerm
2643 - weight
2644 properties:
2645 podAffinityTerm:
2646 description: Required. A pod affinity term, associated with the corresponding weight.
2647 type: object
2648 required:
2649 - topologyKey
2650 properties:
2651 labelSelector:
2652 description: A label query over a set of resources, in this case pods.
2653 type: object
2654 properties:
2655 matchExpressions:
2656 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2657 type: array
2658 items:
2659 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2660 type: object
2661 required:
2662 - key
2663 - operator
2664 properties:
2665 key:
2666 description: key is the label key that the selector applies to.
2667 type: string
2668 operator:
2669 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2670 type: string
2671 values:
2672 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2673 type: array
2674 items:
2675 type: string
2676 matchLabels:
2677 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2678 type: object
2679 additionalProperties:
2680 type: string
2681 namespaceSelector:
2682 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
2683 type: object
2684 properties:
2685 matchExpressions:
2686 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2687 type: array
2688 items:
2689 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2690 type: object
2691 required:
2692 - key
2693 - operator
2694 properties:
2695 key:
2696 description: key is the label key that the selector applies to.
2697 type: string
2698 operator:
2699 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2700 type: string
2701 values:
2702 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2703 type: array
2704 items:
2705 type: string
2706 matchLabels:
2707 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2708 type: object
2709 additionalProperties:
2710 type: string
2711 namespaces:
2712 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
2713 type: array
2714 items:
2715 type: string
2716 topologyKey:
2717 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
2718 type: string
2719 weight:
2720 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
2721 type: integer
2722 format: int32
2723 requiredDuringSchedulingIgnoredDuringExecution:
2724 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
2725 type: array
2726 items:
2727 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
2728 type: object
2729 required:
2730 - topologyKey
2731 properties:
2732 labelSelector:
2733 description: A label query over a set of resources, in this case pods.
2734 type: object
2735 properties:
2736 matchExpressions:
2737 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2738 type: array
2739 items:
2740 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2741 type: object
2742 required:
2743 - key
2744 - operator
2745 properties:
2746 key:
2747 description: key is the label key that the selector applies to.
2748 type: string
2749 operator:
2750 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2751 type: string
2752 values:
2753 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2754 type: array
2755 items:
2756 type: string
2757 matchLabels:
2758 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2759 type: object
2760 additionalProperties:
2761 type: string
2762 namespaceSelector:
2763 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
2764 type: object
2765 properties:
2766 matchExpressions:
2767 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2768 type: array
2769 items:
2770 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2771 type: object
2772 required:
2773 - key
2774 - operator
2775 properties:
2776 key:
2777 description: key is the label key that the selector applies to.
2778 type: string
2779 operator:
2780 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2781 type: string
2782 values:
2783 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2784 type: array
2785 items:
2786 type: string
2787 matchLabels:
2788 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2789 type: object
2790 additionalProperties:
2791 type: string
2792 namespaces:
2793 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
2794 type: array
2795 items:
2796 type: string
2797 topologyKey:
2798 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
2799 type: string
2800 podAntiAffinity:
2801 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
2802 type: object
2803 properties:
2804 preferredDuringSchedulingIgnoredDuringExecution:
2805 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
2806 type: array
2807 items:
2808 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
2809 type: object
2810 required:
2811 - podAffinityTerm
2812 - weight
2813 properties:
2814 podAffinityTerm:
2815 description: Required. A pod affinity term, associated with the corresponding weight.
2816 type: object
2817 required:
2818 - topologyKey
2819 properties:
2820 labelSelector:
2821 description: A label query over a set of resources, in this case pods.
2822 type: object
2823 properties:
2824 matchExpressions:
2825 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2826 type: array
2827 items:
2828 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2829 type: object
2830 required:
2831 - key
2832 - operator
2833 properties:
2834 key:
2835 description: key is the label key that the selector applies to.
2836 type: string
2837 operator:
2838 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2839 type: string
2840 values:
2841 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2842 type: array
2843 items:
2844 type: string
2845 matchLabels:
2846 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2847 type: object
2848 additionalProperties:
2849 type: string
2850 namespaceSelector:
2851 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
2852 type: object
2853 properties:
2854 matchExpressions:
2855 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2856 type: array
2857 items:
2858 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2859 type: object
2860 required:
2861 - key
2862 - operator
2863 properties:
2864 key:
2865 description: key is the label key that the selector applies to.
2866 type: string
2867 operator:
2868 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2869 type: string
2870 values:
2871 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2872 type: array
2873 items:
2874 type: string
2875 matchLabels:
2876 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2877 type: object
2878 additionalProperties:
2879 type: string
2880 namespaces:
2881 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
2882 type: array
2883 items:
2884 type: string
2885 topologyKey:
2886 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
2887 type: string
2888 weight:
2889 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
2890 type: integer
2891 format: int32
2892 requiredDuringSchedulingIgnoredDuringExecution:
2893 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
2894 type: array
2895 items:
2896 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
2897 type: object
2898 required:
2899 - topologyKey
2900 properties:
2901 labelSelector:
2902 description: A label query over a set of resources, in this case pods.
2903 type: object
2904 properties:
2905 matchExpressions:
2906 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2907 type: array
2908 items:
2909 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2910 type: object
2911 required:
2912 - key
2913 - operator
2914 properties:
2915 key:
2916 description: key is the label key that the selector applies to.
2917 type: string
2918 operator:
2919 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2920 type: string
2921 values:
2922 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2923 type: array
2924 items:
2925 type: string
2926 matchLabels:
2927 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2928 type: object
2929 additionalProperties:
2930 type: string
2931 namespaceSelector:
2932 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
2933 type: object
2934 properties:
2935 matchExpressions:
2936 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2937 type: array
2938 items:
2939 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2940 type: object
2941 required:
2942 - key
2943 - operator
2944 properties:
2945 key:
2946 description: key is the label key that the selector applies to.
2947 type: string
2948 operator:
2949 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2950 type: string
2951 values:
2952 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2953 type: array
2954 items:
2955 type: string
2956 matchLabels:
2957 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2958 type: object
2959 additionalProperties:
2960 type: string
2961 namespaces:
2962 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
2963 type: array
2964 items:
2965 type: string
2966 topologyKey:
2967 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
2968 type: string
2969 nodeSelector:
2970 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
2971 type: object
2972 additionalProperties:
2973 type: string
2974 priorityClassName:
2975 description: If specified, the pod's priorityClassName.
2976 type: string
2977 serviceAccountName:
2978 description: If specified, the pod's service account
2979 type: string
2980 tolerations:
2981 description: If specified, the pod's tolerations.
2982 type: array
2983 items:
2984 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
2985 type: object
2986 properties:
2987 effect:
2988 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
2989 type: string
2990 key:
2991 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
2992 type: string
2993 operator:
2994 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
2995 type: string
2996 tolerationSeconds:
2997 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
2998 type: integer
2999 format: int64
3000 value:
3001 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
3002 type: string
3003 serviceType:
3004 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
3005 type: string
3006 selector:
3007 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
3008 type: object
3009 properties:
3010 dnsNames:
3011 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
3012 type: array
3013 items:
3014 type: string
3015 dnsZones:
3016 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
3017 type: array
3018 items:
3019 type: string
3020 matchLabels:
3021 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
3022 type: object
3023 additionalProperties:
3024 type: string
3025 token:
3026 description: Token is the ACME challenge token for this challenge. This is the raw value returned from the ACME server.
3027 type: string
3028 type:
3029 description: Type is the type of ACME challenge this resource represents. One of "http-01" or "dns-01".
3030 type: string
3031 enum:
3032 - http-01
3033 - dns-01
3034 url:
3035 description: URL is the URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge.
3036 type: string
3037 wildcard:
3038 description: Wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'.
3039 type: boolean
3040 status:
3041 type: object
3042 properties:
3043 presented:
3044 description: Presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured).
3045 type: boolean
3046 processing:
3047 description: Processing is used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action.
3048 type: boolean
3049 reason:
3050 description: Reason contains human readable information on why the Challenge is in the current state.
3051 type: string
3052 state:
3053 description: State contains the current 'state' of the challenge. If not set, the state of the challenge is unknown.
3054 type: string
3055 enum:
3056 - valid
3057 - ready
3058 - pending
3059 - processing
3060 - invalid
3061 - expired
3062 - errored
3063 served: true
3064 storage: false
3065 subresources:
3066 status: {}
3067 - additionalPrinterColumns:
3068 - jsonPath: .status.state
3069 name: State
3070 type: string
3071 - jsonPath: .spec.dnsName
3072 name: Domain
3073 type: string
3074 - jsonPath: .status.reason
3075 name: Reason
3076 priority: 1
3077 type: string
3078 - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
3079 jsonPath: .metadata.creationTimestamp
3080 name: Age
3081 type: date
3082 name: v1alpha3
3083 schema:
3084 openAPIV3Schema:
3085 description: Challenge is a type to represent a Challenge request with an ACME server
3086 type: object
3087 required:
3088 - metadata
3089 properties:
3090 apiVersion:
3091 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
3092 type: string
3093 kind:
3094 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
3095 type: string
3096 metadata:
3097 type: object
3098 spec:
3099 type: object
3100 required:
3101 - authzURL
3102 - dnsName
3103 - issuerRef
3104 - key
3105 - solver
3106 - token
3107 - type
3108 - url
3109 properties:
3110 authzURL:
3111 description: AuthzURL is the URL to the ACME Authorization resource that this challenge is a part of.
3112 type: string
3113 dnsName:
3114 description: DNSName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
3115 type: string
3116 issuerRef:
3117 description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed.
3118 type: object
3119 required:
3120 - name
3121 properties:
3122 group:
3123 description: Group of the resource being referred to.
3124 type: string
3125 kind:
3126 description: Kind of the resource being referred to.
3127 type: string
3128 name:
3129 description: Name of the resource being referred to.
3130 type: string
3131 key:
3132 description: 'Key is the ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key from acme server for challenge>`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key from acme server for challenge>` text that must be set as the TXT record content.'
3133 type: string
3134 solver:
3135 description: Solver contains the domain solving configuration that should be used to solve this challenge resource.
3136 type: object
3137 properties:
3138 dns01:
3139 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
3140 type: object
3141 properties:
3142 acmedns:
3143 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
3144 type: object
3145 required:
3146 - accountSecretRef
3147 - host
3148 properties:
3149 accountSecretRef:
3150 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3151 type: object
3152 required:
3153 - name
3154 properties:
3155 key:
3156 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3157 type: string
3158 name:
3159 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3160 type: string
3161 host:
3162 type: string
3163 akamai:
3164 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
3165 type: object
3166 required:
3167 - accessTokenSecretRef
3168 - clientSecretSecretRef
3169 - clientTokenSecretRef
3170 - serviceConsumerDomain
3171 properties:
3172 accessTokenSecretRef:
3173 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3174 type: object
3175 required:
3176 - name
3177 properties:
3178 key:
3179 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3180 type: string
3181 name:
3182 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3183 type: string
3184 clientSecretSecretRef:
3185 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3186 type: object
3187 required:
3188 - name
3189 properties:
3190 key:
3191 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3192 type: string
3193 name:
3194 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3195 type: string
3196 clientTokenSecretRef:
3197 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3198 type: object
3199 required:
3200 - name
3201 properties:
3202 key:
3203 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3204 type: string
3205 name:
3206 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3207 type: string
3208 serviceConsumerDomain:
3209 type: string
3210 azuredns:
3211 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
3212 type: object
3213 required:
3214 - resourceGroupName
3215 - subscriptionID
3216 properties:
3217 clientID:
3218 description: if both this and ClientSecret are left unset MSI will be used
3219 type: string
3220 clientSecretSecretRef:
3221 description: if both this and ClientID are left unset MSI will be used
3222 type: object
3223 required:
3224 - name
3225 properties:
3226 key:
3227 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3228 type: string
3229 name:
3230 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3231 type: string
3232 environment:
3233 type: string
3234 enum:
3235 - AzurePublicCloud
3236 - AzureChinaCloud
3237 - AzureGermanCloud
3238 - AzureUSGovernmentCloud
3239 hostedZoneName:
3240 type: string
3241 resourceGroupName:
3242 type: string
3243 subscriptionID:
3244 type: string
3245 tenantID:
3246 description: when specifying ClientID and ClientSecret then this field is also needed
3247 type: string
3248 clouddns:
3249 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
3250 type: object
3251 required:
3252 - project
3253 properties:
3254 hostedZoneName:
3255 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
3256 type: string
3257 project:
3258 type: string
3259 serviceAccountSecretRef:
3260 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3261 type: object
3262 required:
3263 - name
3264 properties:
3265 key:
3266 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3267 type: string
3268 name:
3269 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3270 type: string
3271 cloudflare:
3272 description: Use the Cloudflare API to manage DNS01 challenge records.
3273 type: object
3274 properties:
3275 apiKeySecretRef:
3276 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
3277 type: object
3278 required:
3279 - name
3280 properties:
3281 key:
3282 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3283 type: string
3284 name:
3285 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3286 type: string
3287 apiTokenSecretRef:
3288 description: API token used to authenticate with Cloudflare.
3289 type: object
3290 required:
3291 - name
3292 properties:
3293 key:
3294 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3295 type: string
3296 name:
3297 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3298 type: string
3299 email:
3300 description: Email of the account, only required when using API key based authentication.
3301 type: string
3302 cnameStrategy:
3303 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
3304 type: string
3305 enum:
3306 - None
3307 - Follow
3308 digitalocean:
3309 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
3310 type: object
3311 required:
3312 - tokenSecretRef
3313 properties:
3314 tokenSecretRef:
3315 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3316 type: object
3317 required:
3318 - name
3319 properties:
3320 key:
3321 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3322 type: string
3323 name:
3324 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3325 type: string
3326 rfc2136:
3327 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
3328 type: object
3329 required:
3330 - nameserver
3331 properties:
3332 nameserver:
3333 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
3334 type: string
3335 tsigAlgorithm:
3336 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
3337 type: string
3338 tsigKeyName:
3339 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
3340 type: string
3341 tsigSecretSecretRef:
3342 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
3343 type: object
3344 required:
3345 - name
3346 properties:
3347 key:
3348 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3349 type: string
3350 name:
3351 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3352 type: string
3353 route53:
3354 description: Use the AWS Route53 API to manage DNS01 challenge records.
3355 type: object
3356 required:
3357 - region
3358 properties:
3359 accessKeyID:
3360 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
3361 type: string
3362 hostedZoneID:
3363 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
3364 type: string
3365 region:
3366 description: Always set the region when using AccessKeyID and SecretAccessKey
3367 type: string
3368 role:
3369 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
3370 type: string
3371 secretAccessKeySecretRef:
3372 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
3373 type: object
3374 required:
3375 - name
3376 properties:
3377 key:
3378 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3379 type: string
3380 name:
3381 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3382 type: string
3383 webhook:
3384 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
3385 type: object
3386 required:
3387 - groupName
3388 - solverName
3389 properties:
3390 config:
3391 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
3392 x-kubernetes-preserve-unknown-fields: true
3393 groupName:
3394 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
3395 type: string
3396 solverName:
3397 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
3398 type: string
3399 http01:
3400 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
3401 type: object
3402 properties:
3403 gatewayHTTPRoute:
3404 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
3405 type: object
3406 properties:
3407 labels:
3408 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
3409 type: object
3410 additionalProperties:
3411 type: string
3412 serviceType:
3413 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
3414 type: string
3415 ingress:
3416 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
3417 type: object
3418 properties:
3419 class:
3420 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
3421 type: string
3422 ingressTemplate:
3423 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges
3424 type: object
3425 properties:
3426 metadata:
3427 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
3428 type: object
3429 properties:
3430 annotations:
3431 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
3432 type: object
3433 additionalProperties:
3434 type: string
3435 labels:
3436 description: Labels that should be added to the created ACME HTTP01 solver ingress.
3437 type: object
3438 additionalProperties:
3439 type: string
3440 name:
3441 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
3442 type: string
3443 podTemplate:
3444 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
3445 type: object
3446 properties:
3447 metadata:
3448 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
3449 type: object
3450 properties:
3451 annotations:
3452 description: Annotations that should be added to the create ACME HTTP01 solver pods.
3453 type: object
3454 additionalProperties:
3455 type: string
3456 labels:
3457 description: Labels that should be added to the created ACME HTTP01 solver pods.
3458 type: object
3459 additionalProperties:
3460 type: string
3461 spec:
3462 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
3463 type: object
3464 properties:
3465 affinity:
3466 description: If specified, the pod's scheduling constraints
3467 type: object
3468 properties:
3469 nodeAffinity:
3470 description: Describes node affinity scheduling rules for the pod.
3471 type: object
3472 properties:
3473 preferredDuringSchedulingIgnoredDuringExecution:
3474 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
3475 type: array
3476 items:
3477 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
3478 type: object
3479 required:
3480 - preference
3481 - weight
3482 properties:
3483 preference:
3484 description: A node selector term, associated with the corresponding weight.
3485 type: object
3486 properties:
3487 matchExpressions:
3488 description: A list of node selector requirements by node's labels.
3489 type: array
3490 items:
3491 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3492 type: object
3493 required:
3494 - key
3495 - operator
3496 properties:
3497 key:
3498 description: The label key that the selector applies to.
3499 type: string
3500 operator:
3501 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
3502 type: string
3503 values:
3504 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
3505 type: array
3506 items:
3507 type: string
3508 matchFields:
3509 description: A list of node selector requirements by node's fields.
3510 type: array
3511 items:
3512 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3513 type: object
3514 required:
3515 - key
3516 - operator
3517 properties:
3518 key:
3519 description: The label key that the selector applies to.
3520 type: string
3521 operator:
3522 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
3523 type: string
3524 values:
3525 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
3526 type: array
3527 items:
3528 type: string
3529 weight:
3530 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
3531 type: integer
3532 format: int32
3533 requiredDuringSchedulingIgnoredDuringExecution:
3534 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
3535 type: object
3536 required:
3537 - nodeSelectorTerms
3538 properties:
3539 nodeSelectorTerms:
3540 description: Required. A list of node selector terms. The terms are ORed.
3541 type: array
3542 items:
3543 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
3544 type: object
3545 properties:
3546 matchExpressions:
3547 description: A list of node selector requirements by node's labels.
3548 type: array
3549 items:
3550 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3551 type: object
3552 required:
3553 - key
3554 - operator
3555 properties:
3556 key:
3557 description: The label key that the selector applies to.
3558 type: string
3559 operator:
3560 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
3561 type: string
3562 values:
3563 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
3564 type: array
3565 items:
3566 type: string
3567 matchFields:
3568 description: A list of node selector requirements by node's fields.
3569 type: array
3570 items:
3571 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3572 type: object
3573 required:
3574 - key
3575 - operator
3576 properties:
3577 key:
3578 description: The label key that the selector applies to.
3579 type: string
3580 operator:
3581 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
3582 type: string
3583 values:
3584 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
3585 type: array
3586 items:
3587 type: string
3588 podAffinity:
3589 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
3590 type: object
3591 properties:
3592 preferredDuringSchedulingIgnoredDuringExecution:
3593 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
3594 type: array
3595 items:
3596 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
3597 type: object
3598 required:
3599 - podAffinityTerm
3600 - weight
3601 properties:
3602 podAffinityTerm:
3603 description: Required. A pod affinity term, associated with the corresponding weight.
3604 type: object
3605 required:
3606 - topologyKey
3607 properties:
3608 labelSelector:
3609 description: A label query over a set of resources, in this case pods.
3610 type: object
3611 properties:
3612 matchExpressions:
3613 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3614 type: array
3615 items:
3616 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3617 type: object
3618 required:
3619 - key
3620 - operator
3621 properties:
3622 key:
3623 description: key is the label key that the selector applies to.
3624 type: string
3625 operator:
3626 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3627 type: string
3628 values:
3629 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3630 type: array
3631 items:
3632 type: string
3633 matchLabels:
3634 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3635 type: object
3636 additionalProperties:
3637 type: string
3638 namespaceSelector:
3639 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
3640 type: object
3641 properties:
3642 matchExpressions:
3643 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3644 type: array
3645 items:
3646 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3647 type: object
3648 required:
3649 - key
3650 - operator
3651 properties:
3652 key:
3653 description: key is the label key that the selector applies to.
3654 type: string
3655 operator:
3656 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3657 type: string
3658 values:
3659 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3660 type: array
3661 items:
3662 type: string
3663 matchLabels:
3664 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3665 type: object
3666 additionalProperties:
3667 type: string
3668 namespaces:
3669 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
3670 type: array
3671 items:
3672 type: string
3673 topologyKey:
3674 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
3675 type: string
3676 weight:
3677 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
3678 type: integer
3679 format: int32
3680 requiredDuringSchedulingIgnoredDuringExecution:
3681 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
3682 type: array
3683 items:
3684 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
3685 type: object
3686 required:
3687 - topologyKey
3688 properties:
3689 labelSelector:
3690 description: A label query over a set of resources, in this case pods.
3691 type: object
3692 properties:
3693 matchExpressions:
3694 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3695 type: array
3696 items:
3697 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3698 type: object
3699 required:
3700 - key
3701 - operator
3702 properties:
3703 key:
3704 description: key is the label key that the selector applies to.
3705 type: string
3706 operator:
3707 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3708 type: string
3709 values:
3710 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3711 type: array
3712 items:
3713 type: string
3714 matchLabels:
3715 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3716 type: object
3717 additionalProperties:
3718 type: string
3719 namespaceSelector:
3720 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
3721 type: object
3722 properties:
3723 matchExpressions:
3724 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3725 type: array
3726 items:
3727 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3728 type: object
3729 required:
3730 - key
3731 - operator
3732 properties:
3733 key:
3734 description: key is the label key that the selector applies to.
3735 type: string
3736 operator:
3737 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3738 type: string
3739 values:
3740 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3741 type: array
3742 items:
3743 type: string
3744 matchLabels:
3745 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3746 type: object
3747 additionalProperties:
3748 type: string
3749 namespaces:
3750 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
3751 type: array
3752 items:
3753 type: string
3754 topologyKey:
3755 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
3756 type: string
3757 podAntiAffinity:
3758 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
3759 type: object
3760 properties:
3761 preferredDuringSchedulingIgnoredDuringExecution:
3762 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
3763 type: array
3764 items:
3765 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
3766 type: object
3767 required:
3768 - podAffinityTerm
3769 - weight
3770 properties:
3771 podAffinityTerm:
3772 description: Required. A pod affinity term, associated with the corresponding weight.
3773 type: object
3774 required:
3775 - topologyKey
3776 properties:
3777 labelSelector:
3778 description: A label query over a set of resources, in this case pods.
3779 type: object
3780 properties:
3781 matchExpressions:
3782 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3783 type: array
3784 items:
3785 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3786 type: object
3787 required:
3788 - key
3789 - operator
3790 properties:
3791 key:
3792 description: key is the label key that the selector applies to.
3793 type: string
3794 operator:
3795 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3796 type: string
3797 values:
3798 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3799 type: array
3800 items:
3801 type: string
3802 matchLabels:
3803 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3804 type: object
3805 additionalProperties:
3806 type: string
3807 namespaceSelector:
3808 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
3809 type: object
3810 properties:
3811 matchExpressions:
3812 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3813 type: array
3814 items:
3815 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3816 type: object
3817 required:
3818 - key
3819 - operator
3820 properties:
3821 key:
3822 description: key is the label key that the selector applies to.
3823 type: string
3824 operator:
3825 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3826 type: string
3827 values:
3828 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3829 type: array
3830 items:
3831 type: string
3832 matchLabels:
3833 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3834 type: object
3835 additionalProperties:
3836 type: string
3837 namespaces:
3838 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
3839 type: array
3840 items:
3841 type: string
3842 topologyKey:
3843 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
3844 type: string
3845 weight:
3846 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
3847 type: integer
3848 format: int32
3849 requiredDuringSchedulingIgnoredDuringExecution:
3850 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
3851 type: array
3852 items:
3853 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
3854 type: object
3855 required:
3856 - topologyKey
3857 properties:
3858 labelSelector:
3859 description: A label query over a set of resources, in this case pods.
3860 type: object
3861 properties:
3862 matchExpressions:
3863 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3864 type: array
3865 items:
3866 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3867 type: object
3868 required:
3869 - key
3870 - operator
3871 properties:
3872 key:
3873 description: key is the label key that the selector applies to.
3874 type: string
3875 operator:
3876 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3877 type: string
3878 values:
3879 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3880 type: array
3881 items:
3882 type: string
3883 matchLabels:
3884 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3885 type: object
3886 additionalProperties:
3887 type: string
3888 namespaceSelector:
3889 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
3890 type: object
3891 properties:
3892 matchExpressions:
3893 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3894 type: array
3895 items:
3896 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3897 type: object
3898 required:
3899 - key
3900 - operator
3901 properties:
3902 key:
3903 description: key is the label key that the selector applies to.
3904 type: string
3905 operator:
3906 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3907 type: string
3908 values:
3909 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3910 type: array
3911 items:
3912 type: string
3913 matchLabels:
3914 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3915 type: object
3916 additionalProperties:
3917 type: string
3918 namespaces:
3919 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
3920 type: array
3921 items:
3922 type: string
3923 topologyKey:
3924 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
3925 type: string
3926 nodeSelector:
3927 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
3928 type: object
3929 additionalProperties:
3930 type: string
3931 priorityClassName:
3932 description: If specified, the pod's priorityClassName.
3933 type: string
3934 serviceAccountName:
3935 description: If specified, the pod's service account
3936 type: string
3937 tolerations:
3938 description: If specified, the pod's tolerations.
3939 type: array
3940 items:
3941 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
3942 type: object
3943 properties:
3944 effect:
3945 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
3946 type: string
3947 key:
3948 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
3949 type: string
3950 operator:
3951 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
3952 type: string
3953 tolerationSeconds:
3954 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
3955 type: integer
3956 format: int64
3957 value:
3958 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
3959 type: string
3960 serviceType:
3961 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
3962 type: string
3963 selector:
3964 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
3965 type: object
3966 properties:
3967 dnsNames:
3968 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
3969 type: array
3970 items:
3971 type: string
3972 dnsZones:
3973 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
3974 type: array
3975 items:
3976 type: string
3977 matchLabels:
3978 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
3979 type: object
3980 additionalProperties:
3981 type: string
3982 token:
3983 description: Token is the ACME challenge token for this challenge. This is the raw value returned from the ACME server.
3984 type: string
3985 type:
3986 description: Type is the type of ACME challenge this resource represents. One of "http-01" or "dns-01".
3987 type: string
3988 enum:
3989 - http-01
3990 - dns-01
3991 url:
3992 description: URL is the URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge.
3993 type: string
3994 wildcard:
3995 description: Wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'.
3996 type: boolean
3997 status:
3998 type: object
3999 properties:
4000 presented:
4001 description: Presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured).
4002 type: boolean
4003 processing:
4004 description: Processing is used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action.
4005 type: boolean
4006 reason:
4007 description: Reason contains human readable information on why the Challenge is in the current state.
4008 type: string
4009 state:
4010 description: State contains the current 'state' of the challenge. If not set, the state of the challenge is unknown.
4011 type: string
4012 enum:
4013 - valid
4014 - ready
4015 - pending
4016 - processing
4017 - invalid
4018 - expired
4019 - errored
4020 served: true
4021 storage: false
4022 subresources:
4023 status: {}
4024 - additionalPrinterColumns:
4025 - jsonPath: .status.state
4026 name: State
4027 type: string
4028 - jsonPath: .spec.dnsName
4029 name: Domain
4030 type: string
4031 - jsonPath: .status.reason
4032 name: Reason
4033 priority: 1
4034 type: string
4035 - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
4036 jsonPath: .metadata.creationTimestamp
4037 name: Age
4038 type: date
4039 name: v1beta1
4040 schema:
4041 openAPIV3Schema:
4042 description: Challenge is a type to represent a Challenge request with an ACME server
4043 type: object
4044 required:
4045 - metadata
4046 - spec
4047 properties:
4048 apiVersion:
4049 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
4050 type: string
4051 kind:
4052 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
4053 type: string
4054 metadata:
4055 type: object
4056 spec:
4057 type: object
4058 required:
4059 - authorizationURL
4060 - dnsName
4061 - issuerRef
4062 - key
4063 - solver
4064 - token
4065 - type
4066 - url
4067 properties:
4068 authorizationURL:
4069 description: The URL to the ACME Authorization resource that this challenge is a part of.
4070 type: string
4071 dnsName:
4072 description: dnsName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
4073 type: string
4074 issuerRef:
4075 description: References a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed.
4076 type: object
4077 required:
4078 - name
4079 properties:
4080 group:
4081 description: Group of the resource being referred to.
4082 type: string
4083 kind:
4084 description: Kind of the resource being referred to.
4085 type: string
4086 name:
4087 description: Name of the resource being referred to.
4088 type: string
4089 key:
4090 description: 'The ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key from acme server for challenge>`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key from acme server for challenge>` text that must be set as the TXT record content.'
4091 type: string
4092 solver:
4093 description: Contains the domain solving configuration that should be used to solve this challenge resource.
4094 type: object
4095 properties:
4096 dns01:
4097 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
4098 type: object
4099 properties:
4100 acmeDNS:
4101 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
4102 type: object
4103 required:
4104 - accountSecretRef
4105 - host
4106 properties:
4107 accountSecretRef:
4108 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
4109 type: object
4110 required:
4111 - name
4112 properties:
4113 key:
4114 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4115 type: string
4116 name:
4117 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4118 type: string
4119 host:
4120 type: string
4121 akamai:
4122 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
4123 type: object
4124 required:
4125 - accessTokenSecretRef
4126 - clientSecretSecretRef
4127 - clientTokenSecretRef
4128 - serviceConsumerDomain
4129 properties:
4130 accessTokenSecretRef:
4131 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
4132 type: object
4133 required:
4134 - name
4135 properties:
4136 key:
4137 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4138 type: string
4139 name:
4140 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4141 type: string
4142 clientSecretSecretRef:
4143 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
4144 type: object
4145 required:
4146 - name
4147 properties:
4148 key:
4149 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4150 type: string
4151 name:
4152 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4153 type: string
4154 clientTokenSecretRef:
4155 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
4156 type: object
4157 required:
4158 - name
4159 properties:
4160 key:
4161 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4162 type: string
4163 name:
4164 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4165 type: string
4166 serviceConsumerDomain:
4167 type: string
4168 azureDNS:
4169 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
4170 type: object
4171 required:
4172 - resourceGroupName
4173 - subscriptionID
4174 properties:
4175 clientID:
4176 description: if both this and ClientSecret are left unset MSI will be used
4177 type: string
4178 clientSecretSecretRef:
4179 description: if both this and ClientID are left unset MSI will be used
4180 type: object
4181 required:
4182 - name
4183 properties:
4184 key:
4185 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4186 type: string
4187 name:
4188 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4189 type: string
4190 environment:
4191 type: string
4192 enum:
4193 - AzurePublicCloud
4194 - AzureChinaCloud
4195 - AzureGermanCloud
4196 - AzureUSGovernmentCloud
4197 hostedZoneName:
4198 type: string
4199 resourceGroupName:
4200 type: string
4201 subscriptionID:
4202 type: string
4203 tenantID:
4204 description: when specifying ClientID and ClientSecret then this field is also needed
4205 type: string
4206 cloudDNS:
4207 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
4208 type: object
4209 required:
4210 - project
4211 properties:
4212 hostedZoneName:
4213 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
4214 type: string
4215 project:
4216 type: string
4217 serviceAccountSecretRef:
4218 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
4219 type: object
4220 required:
4221 - name
4222 properties:
4223 key:
4224 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4225 type: string
4226 name:
4227 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4228 type: string
4229 cloudflare:
4230 description: Use the Cloudflare API to manage DNS01 challenge records.
4231 type: object
4232 properties:
4233 apiKeySecretRef:
4234 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
4235 type: object
4236 required:
4237 - name
4238 properties:
4239 key:
4240 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4241 type: string
4242 name:
4243 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4244 type: string
4245 apiTokenSecretRef:
4246 description: API token used to authenticate with Cloudflare.
4247 type: object
4248 required:
4249 - name
4250 properties:
4251 key:
4252 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4253 type: string
4254 name:
4255 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4256 type: string
4257 email:
4258 description: Email of the account, only required when using API key based authentication.
4259 type: string
4260 cnameStrategy:
4261 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
4262 type: string
4263 enum:
4264 - None
4265 - Follow
4266 digitalocean:
4267 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
4268 type: object
4269 required:
4270 - tokenSecretRef
4271 properties:
4272 tokenSecretRef:
4273 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
4274 type: object
4275 required:
4276 - name
4277 properties:
4278 key:
4279 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4280 type: string
4281 name:
4282 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4283 type: string
4284 rfc2136:
4285 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
4286 type: object
4287 required:
4288 - nameserver
4289 properties:
4290 nameserver:
4291 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
4292 type: string
4293 tsigAlgorithm:
4294 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
4295 type: string
4296 tsigKeyName:
4297 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
4298 type: string
4299 tsigSecretSecretRef:
4300 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
4301 type: object
4302 required:
4303 - name
4304 properties:
4305 key:
4306 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4307 type: string
4308 name:
4309 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4310 type: string
4311 route53:
4312 description: Use the AWS Route53 API to manage DNS01 challenge records.
4313 type: object
4314 required:
4315 - region
4316 properties:
4317 accessKeyID:
4318 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
4319 type: string
4320 hostedZoneID:
4321 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
4322 type: string
4323 region:
4324 description: Always set the region when using AccessKeyID and SecretAccessKey
4325 type: string
4326 role:
4327 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
4328 type: string
4329 secretAccessKeySecretRef:
4330 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
4331 type: object
4332 required:
4333 - name
4334 properties:
4335 key:
4336 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4337 type: string
4338 name:
4339 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4340 type: string
4341 webhook:
4342 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
4343 type: object
4344 required:
4345 - groupName
4346 - solverName
4347 properties:
4348 config:
4349 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
4350 x-kubernetes-preserve-unknown-fields: true
4351 groupName:
4352 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
4353 type: string
4354 solverName:
4355 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
4356 type: string
4357 http01:
4358 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
4359 type: object
4360 properties:
4361 gatewayHTTPRoute:
4362 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
4363 type: object
4364 properties:
4365 labels:
4366 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
4367 type: object
4368 additionalProperties:
4369 type: string
4370 serviceType:
4371 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
4372 type: string
4373 ingress:
4374 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
4375 type: object
4376 properties:
4377 class:
4378 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
4379 type: string
4380 ingressTemplate:
4381 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
4382 type: object
4383 properties:
4384 metadata:
4385 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
4386 type: object
4387 properties:
4388 annotations:
4389 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
4390 type: object
4391 additionalProperties:
4392 type: string
4393 labels:
4394 description: Labels that should be added to the created ACME HTTP01 solver ingress.
4395 type: object
4396 additionalProperties:
4397 type: string
4398 name:
4399 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
4400 type: string
4401 podTemplate:
4402 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges
4403 type: object
4404 properties:
4405 metadata:
4406 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
4407 type: object
4408 properties:
4409 annotations:
4410 description: Annotations that should be added to the create ACME HTTP01 solver pods.
4411 type: object
4412 additionalProperties:
4413 type: string
4414 labels:
4415 description: Labels that should be added to the created ACME HTTP01 solver pods.
4416 type: object
4417 additionalProperties:
4418 type: string
4419 spec:
4420 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
4421 type: object
4422 properties:
4423 affinity:
4424 description: If specified, the pod's scheduling constraints
4425 type: object
4426 properties:
4427 nodeAffinity:
4428 description: Describes node affinity scheduling rules for the pod.
4429 type: object
4430 properties:
4431 preferredDuringSchedulingIgnoredDuringExecution:
4432 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
4433 type: array
4434 items:
4435 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
4436 type: object
4437 required:
4438 - preference
4439 - weight
4440 properties:
4441 preference:
4442 description: A node selector term, associated with the corresponding weight.
4443 type: object
4444 properties:
4445 matchExpressions:
4446 description: A list of node selector requirements by node's labels.
4447 type: array
4448 items:
4449 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4450 type: object
4451 required:
4452 - key
4453 - operator
4454 properties:
4455 key:
4456 description: The label key that the selector applies to.
4457 type: string
4458 operator:
4459 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
4460 type: string
4461 values:
4462 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
4463 type: array
4464 items:
4465 type: string
4466 matchFields:
4467 description: A list of node selector requirements by node's fields.
4468 type: array
4469 items:
4470 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4471 type: object
4472 required:
4473 - key
4474 - operator
4475 properties:
4476 key:
4477 description: The label key that the selector applies to.
4478 type: string
4479 operator:
4480 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
4481 type: string
4482 values:
4483 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
4484 type: array
4485 items:
4486 type: string
4487 weight:
4488 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
4489 type: integer
4490 format: int32
4491 requiredDuringSchedulingIgnoredDuringExecution:
4492 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
4493 type: object
4494 required:
4495 - nodeSelectorTerms
4496 properties:
4497 nodeSelectorTerms:
4498 description: Required. A list of node selector terms. The terms are ORed.
4499 type: array
4500 items:
4501 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
4502 type: object
4503 properties:
4504 matchExpressions:
4505 description: A list of node selector requirements by node's labels.
4506 type: array
4507 items:
4508 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4509 type: object
4510 required:
4511 - key
4512 - operator
4513 properties:
4514 key:
4515 description: The label key that the selector applies to.
4516 type: string
4517 operator:
4518 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
4519 type: string
4520 values:
4521 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
4522 type: array
4523 items:
4524 type: string
4525 matchFields:
4526 description: A list of node selector requirements by node's fields.
4527 type: array
4528 items:
4529 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4530 type: object
4531 required:
4532 - key
4533 - operator
4534 properties:
4535 key:
4536 description: The label key that the selector applies to.
4537 type: string
4538 operator:
4539 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
4540 type: string
4541 values:
4542 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
4543 type: array
4544 items:
4545 type: string
4546 podAffinity:
4547 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
4548 type: object
4549 properties:
4550 preferredDuringSchedulingIgnoredDuringExecution:
4551 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
4552 type: array
4553 items:
4554 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
4555 type: object
4556 required:
4557 - podAffinityTerm
4558 - weight
4559 properties:
4560 podAffinityTerm:
4561 description: Required. A pod affinity term, associated with the corresponding weight.
4562 type: object
4563 required:
4564 - topologyKey
4565 properties:
4566 labelSelector:
4567 description: A label query over a set of resources, in this case pods.
4568 type: object
4569 properties:
4570 matchExpressions:
4571 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
4572 type: array
4573 items:
4574 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4575 type: object
4576 required:
4577 - key
4578 - operator
4579 properties:
4580 key:
4581 description: key is the label key that the selector applies to.
4582 type: string
4583 operator:
4584 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
4585 type: string
4586 values:
4587 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
4588 type: array
4589 items:
4590 type: string
4591 matchLabels:
4592 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
4593 type: object
4594 additionalProperties:
4595 type: string
4596 namespaceSelector:
4597 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
4598 type: object
4599 properties:
4600 matchExpressions:
4601 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
4602 type: array
4603 items:
4604 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4605 type: object
4606 required:
4607 - key
4608 - operator
4609 properties:
4610 key:
4611 description: key is the label key that the selector applies to.
4612 type: string
4613 operator:
4614 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
4615 type: string
4616 values:
4617 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
4618 type: array
4619 items:
4620 type: string
4621 matchLabels:
4622 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
4623 type: object
4624 additionalProperties:
4625 type: string
4626 namespaces:
4627 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
4628 type: array
4629 items:
4630 type: string
4631 topologyKey:
4632 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
4633 type: string
4634 weight:
4635 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
4636 type: integer
4637 format: int32
4638 requiredDuringSchedulingIgnoredDuringExecution:
4639 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
4640 type: array
4641 items:
4642 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
4643 type: object
4644 required:
4645 - topologyKey
4646 properties:
4647 labelSelector:
4648 description: A label query over a set of resources, in this case pods.
4649 type: object
4650 properties:
4651 matchExpressions:
4652 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
4653 type: array
4654 items:
4655 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4656 type: object
4657 required:
4658 - key
4659 - operator
4660 properties:
4661 key:
4662 description: key is the label key that the selector applies to.
4663 type: string
4664 operator:
4665 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
4666 type: string
4667 values:
4668 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
4669 type: array
4670 items:
4671 type: string
4672 matchLabels:
4673 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
4674 type: object
4675 additionalProperties:
4676 type: string
4677 namespaceSelector:
4678 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
4679 type: object
4680 properties:
4681 matchExpressions:
4682 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
4683 type: array
4684 items:
4685 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4686 type: object
4687 required:
4688 - key
4689 - operator
4690 properties:
4691 key:
4692 description: key is the label key that the selector applies to.
4693 type: string
4694 operator:
4695 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
4696 type: string
4697 values:
4698 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
4699 type: array
4700 items:
4701 type: string
4702 matchLabels:
4703 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
4704 type: object
4705 additionalProperties:
4706 type: string
4707 namespaces:
4708 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
4709 type: array
4710 items:
4711 type: string
4712 topologyKey:
4713 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
4714 type: string
4715 podAntiAffinity:
4716 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
4717 type: object
4718 properties:
4719 preferredDuringSchedulingIgnoredDuringExecution:
4720 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
4721 type: array
4722 items:
4723 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
4724 type: object
4725 required:
4726 - podAffinityTerm
4727 - weight
4728 properties:
4729 podAffinityTerm:
4730 description: Required. A pod affinity term, associated with the corresponding weight.
4731 type: object
4732 required:
4733 - topologyKey
4734 properties:
4735 labelSelector:
4736 description: A label query over a set of resources, in this case pods.
4737 type: object
4738 properties:
4739 matchExpressions:
4740 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
4741 type: array
4742 items:
4743 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4744 type: object
4745 required:
4746 - key
4747 - operator
4748 properties:
4749 key:
4750 description: key is the label key that the selector applies to.
4751 type: string
4752 operator:
4753 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
4754 type: string
4755 values:
4756 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
4757 type: array
4758 items:
4759 type: string
4760 matchLabels:
4761 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
4762 type: object
4763 additionalProperties:
4764 type: string
4765 namespaceSelector:
4766 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
4767 type: object
4768 properties:
4769 matchExpressions:
4770 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
4771 type: array
4772 items:
4773 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4774 type: object
4775 required:
4776 - key
4777 - operator
4778 properties:
4779 key:
4780 description: key is the label key that the selector applies to.
4781 type: string
4782 operator:
4783 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
4784 type: string
4785 values:
4786 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
4787 type: array
4788 items:
4789 type: string
4790 matchLabels:
4791 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
4792 type: object
4793 additionalProperties:
4794 type: string
4795 namespaces:
4796 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
4797 type: array
4798 items:
4799 type: string
4800 topologyKey:
4801 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
4802 type: string
4803 weight:
4804 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
4805 type: integer
4806 format: int32
4807 requiredDuringSchedulingIgnoredDuringExecution:
4808 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
4809 type: array
4810 items:
4811 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
4812 type: object
4813 required:
4814 - topologyKey
4815 properties:
4816 labelSelector:
4817 description: A label query over a set of resources, in this case pods.
4818 type: object
4819 properties:
4820 matchExpressions:
4821 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
4822 type: array
4823 items:
4824 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4825 type: object
4826 required:
4827 - key
4828 - operator
4829 properties:
4830 key:
4831 description: key is the label key that the selector applies to.
4832 type: string
4833 operator:
4834 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
4835 type: string
4836 values:
4837 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
4838 type: array
4839 items:
4840 type: string
4841 matchLabels:
4842 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
4843 type: object
4844 additionalProperties:
4845 type: string
4846 namespaceSelector:
4847 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
4848 type: object
4849 properties:
4850 matchExpressions:
4851 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
4852 type: array
4853 items:
4854 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4855 type: object
4856 required:
4857 - key
4858 - operator
4859 properties:
4860 key:
4861 description: key is the label key that the selector applies to.
4862 type: string
4863 operator:
4864 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
4865 type: string
4866 values:
4867 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
4868 type: array
4869 items:
4870 type: string
4871 matchLabels:
4872 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
4873 type: object
4874 additionalProperties:
4875 type: string
4876 namespaces:
4877 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
4878 type: array
4879 items:
4880 type: string
4881 topologyKey:
4882 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
4883 type: string
4884 nodeSelector:
4885 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
4886 type: object
4887 additionalProperties:
4888 type: string
4889 priorityClassName:
4890 description: If specified, the pod's priorityClassName.
4891 type: string
4892 serviceAccountName:
4893 description: If specified, the pod's service account
4894 type: string
4895 tolerations:
4896 description: If specified, the pod's tolerations.
4897 type: array
4898 items:
4899 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
4900 type: object
4901 properties:
4902 effect:
4903 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
4904 type: string
4905 key:
4906 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
4907 type: string
4908 operator:
4909 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
4910 type: string
4911 tolerationSeconds:
4912 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
4913 type: integer
4914 format: int64
4915 value:
4916 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
4917 type: string
4918 serviceType:
4919 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
4920 type: string
4921 selector:
4922 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
4923 type: object
4924 properties:
4925 dnsNames:
4926 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
4927 type: array
4928 items:
4929 type: string
4930 dnsZones:
4931 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
4932 type: array
4933 items:
4934 type: string
4935 matchLabels:
4936 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
4937 type: object
4938 additionalProperties:
4939 type: string
4940 token:
4941 description: The ACME challenge token for this challenge. This is the raw value returned from the ACME server.
4942 type: string
4943 type:
4944 description: The type of ACME challenge this resource represents. One of "HTTP-01" or "DNS-01".
4945 type: string
4946 enum:
4947 - HTTP-01
4948 - DNS-01
4949 url:
4950 description: The URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge.
4951 type: string
4952 wildcard:
4953 description: wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'.
4954 type: boolean
4955 status:
4956 type: object
4957 properties:
4958 presented:
4959 description: presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured).
4960 type: boolean
4961 processing:
4962 description: Used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action.
4963 type: boolean
4964 reason:
4965 description: Contains human readable information on why the Challenge is in the current state.
4966 type: string
4967 state:
4968 description: Contains the current 'state' of the challenge. If not set, the state of the challenge is unknown.
4969 type: string
4970 enum:
4971 - valid
4972 - ready
4973 - pending
4974 - processing
4975 - invalid
4976 - expired
4977 - errored
4978 served: true
4979 storage: false
4980 subresources:
4981 status: {}
4982 - additionalPrinterColumns:
4983 - jsonPath: .status.state
4984 name: State
4985 type: string
4986 - jsonPath: .spec.dnsName
4987 name: Domain
4988 type: string
4989 - jsonPath: .status.reason
4990 name: Reason
4991 priority: 1
4992 type: string
4993 - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
4994 jsonPath: .metadata.creationTimestamp
4995 name: Age
4996 type: date
4997 name: v1
4998 schema:
4999 openAPIV3Schema:
5000 description: Challenge is a type to represent a Challenge request with an ACME server
5001 type: object
5002 required:
5003 - metadata
5004 - spec
5005 properties:
5006 apiVersion:
5007 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
5008 type: string
5009 kind:
5010 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
5011 type: string
5012 metadata:
5013 type: object
5014 spec:
5015 type: object
5016 required:
5017 - authorizationURL
5018 - dnsName
5019 - issuerRef
5020 - key
5021 - solver
5022 - token
5023 - type
5024 - url
5025 properties:
5026 authorizationURL:
5027 description: The URL to the ACME Authorization resource that this challenge is a part of.
5028 type: string
5029 dnsName:
5030 description: dnsName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
5031 type: string
5032 issuerRef:
5033 description: References a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed.
5034 type: object
5035 required:
5036 - name
5037 properties:
5038 group:
5039 description: Group of the resource being referred to.
5040 type: string
5041 kind:
5042 description: Kind of the resource being referred to.
5043 type: string
5044 name:
5045 description: Name of the resource being referred to.
5046 type: string
5047 key:
5048 description: 'The ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key from acme server for challenge>`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key from acme server for challenge>` text that must be set as the TXT record content.'
5049 type: string
5050 solver:
5051 description: Contains the domain solving configuration that should be used to solve this challenge resource.
5052 type: object
5053 properties:
5054 dns01:
5055 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
5056 type: object
5057 properties:
5058 acmeDNS:
5059 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
5060 type: object
5061 required:
5062 - accountSecretRef
5063 - host
5064 properties:
5065 accountSecretRef:
5066 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
5067 type: object
5068 required:
5069 - name
5070 properties:
5071 key:
5072 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5073 type: string
5074 name:
5075 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5076 type: string
5077 host:
5078 type: string
5079 akamai:
5080 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
5081 type: object
5082 required:
5083 - accessTokenSecretRef
5084 - clientSecretSecretRef
5085 - clientTokenSecretRef
5086 - serviceConsumerDomain
5087 properties:
5088 accessTokenSecretRef:
5089 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
5090 type: object
5091 required:
5092 - name
5093 properties:
5094 key:
5095 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5096 type: string
5097 name:
5098 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5099 type: string
5100 clientSecretSecretRef:
5101 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
5102 type: object
5103 required:
5104 - name
5105 properties:
5106 key:
5107 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5108 type: string
5109 name:
5110 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5111 type: string
5112 clientTokenSecretRef:
5113 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
5114 type: object
5115 required:
5116 - name
5117 properties:
5118 key:
5119 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5120 type: string
5121 name:
5122 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5123 type: string
5124 serviceConsumerDomain:
5125 type: string
5126 azureDNS:
5127 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
5128 type: object
5129 required:
5130 - resourceGroupName
5131 - subscriptionID
5132 properties:
5133 clientID:
5134 description: if both this and ClientSecret are left unset MSI will be used
5135 type: string
5136 clientSecretSecretRef:
5137 description: if both this and ClientID are left unset MSI will be used
5138 type: object
5139 required:
5140 - name
5141 properties:
5142 key:
5143 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5144 type: string
5145 name:
5146 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5147 type: string
5148 environment:
5149 type: string
5150 enum:
5151 - AzurePublicCloud
5152 - AzureChinaCloud
5153 - AzureGermanCloud
5154 - AzureUSGovernmentCloud
5155 hostedZoneName:
5156 type: string
5157 resourceGroupName:
5158 type: string
5159 subscriptionID:
5160 type: string
5161 tenantID:
5162 description: when specifying ClientID and ClientSecret then this field is also needed
5163 type: string
5164 cloudDNS:
5165 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
5166 type: object
5167 required:
5168 - project
5169 properties:
5170 hostedZoneName:
5171 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
5172 type: string
5173 project:
5174 type: string
5175 serviceAccountSecretRef:
5176 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
5177 type: object
5178 required:
5179 - name
5180 properties:
5181 key:
5182 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5183 type: string
5184 name:
5185 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5186 type: string
5187 cloudflare:
5188 description: Use the Cloudflare API to manage DNS01 challenge records.
5189 type: object
5190 properties:
5191 apiKeySecretRef:
5192 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
5193 type: object
5194 required:
5195 - name
5196 properties:
5197 key:
5198 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5199 type: string
5200 name:
5201 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5202 type: string
5203 apiTokenSecretRef:
5204 description: API token used to authenticate with Cloudflare.
5205 type: object
5206 required:
5207 - name
5208 properties:
5209 key:
5210 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5211 type: string
5212 name:
5213 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5214 type: string
5215 email:
5216 description: Email of the account, only required when using API key based authentication.
5217 type: string
5218 cnameStrategy:
5219 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
5220 type: string
5221 enum:
5222 - None
5223 - Follow
5224 digitalocean:
5225 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
5226 type: object
5227 required:
5228 - tokenSecretRef
5229 properties:
5230 tokenSecretRef:
5231 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
5232 type: object
5233 required:
5234 - name
5235 properties:
5236 key:
5237 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5238 type: string
5239 name:
5240 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5241 type: string
5242 rfc2136:
5243 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
5244 type: object
5245 required:
5246 - nameserver
5247 properties:
5248 nameserver:
5249 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
5250 type: string
5251 tsigAlgorithm:
5252 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
5253 type: string
5254 tsigKeyName:
5255 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
5256 type: string
5257 tsigSecretSecretRef:
5258 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
5259 type: object
5260 required:
5261 - name
5262 properties:
5263 key:
5264 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5265 type: string
5266 name:
5267 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5268 type: string
5269 route53:
5270 description: Use the AWS Route53 API to manage DNS01 challenge records.
5271 type: object
5272 required:
5273 - region
5274 properties:
5275 accessKeyID:
5276 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
5277 type: string
5278 hostedZoneID:
5279 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
5280 type: string
5281 region:
5282 description: Always set the region when using AccessKeyID and SecretAccessKey
5283 type: string
5284 role:
5285 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
5286 type: string
5287 secretAccessKeySecretRef:
5288 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
5289 type: object
5290 required:
5291 - name
5292 properties:
5293 key:
5294 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5295 type: string
5296 name:
5297 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5298 type: string
5299 webhook:
5300 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
5301 type: object
5302 required:
5303 - groupName
5304 - solverName
5305 properties:
5306 config:
5307 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
5308 x-kubernetes-preserve-unknown-fields: true
5309 groupName:
5310 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
5311 type: string
5312 solverName:
5313 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
5314 type: string
5315 http01:
5316 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
5317 type: object
5318 properties:
5319 gatewayHTTPRoute:
5320 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
5321 type: object
5322 properties:
5323 labels:
5324 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
5325 type: object
5326 additionalProperties:
5327 type: string
5328 serviceType:
5329 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
5330 type: string
5331 ingress:
5332 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
5333 type: object
5334 properties:
5335 class:
5336 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
5337 type: string
5338 ingressTemplate:
5339 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
5340 type: object
5341 properties:
5342 metadata:
5343 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
5344 type: object
5345 properties:
5346 annotations:
5347 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
5348 type: object
5349 additionalProperties:
5350 type: string
5351 labels:
5352 description: Labels that should be added to the created ACME HTTP01 solver ingress.
5353 type: object
5354 additionalProperties:
5355 type: string
5356 name:
5357 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
5358 type: string
5359 podTemplate:
5360 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
5361 type: object
5362 properties:
5363 metadata:
5364 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
5365 type: object
5366 properties:
5367 annotations:
5368 description: Annotations that should be added to the create ACME HTTP01 solver pods.
5369 type: object
5370 additionalProperties:
5371 type: string
5372 labels:
5373 description: Labels that should be added to the created ACME HTTP01 solver pods.
5374 type: object
5375 additionalProperties:
5376 type: string
5377 spec:
5378 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
5379 type: object
5380 properties:
5381 affinity:
5382 description: If specified, the pod's scheduling constraints
5383 type: object
5384 properties:
5385 nodeAffinity:
5386 description: Describes node affinity scheduling rules for the pod.
5387 type: object
5388 properties:
5389 preferredDuringSchedulingIgnoredDuringExecution:
5390 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
5391 type: array
5392 items:
5393 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
5394 type: object
5395 required:
5396 - preference
5397 - weight
5398 properties:
5399 preference:
5400 description: A node selector term, associated with the corresponding weight.
5401 type: object
5402 properties:
5403 matchExpressions:
5404 description: A list of node selector requirements by node's labels.
5405 type: array
5406 items:
5407 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5408 type: object
5409 required:
5410 - key
5411 - operator
5412 properties:
5413 key:
5414 description: The label key that the selector applies to.
5415 type: string
5416 operator:
5417 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
5418 type: string
5419 values:
5420 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
5421 type: array
5422 items:
5423 type: string
5424 matchFields:
5425 description: A list of node selector requirements by node's fields.
5426 type: array
5427 items:
5428 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5429 type: object
5430 required:
5431 - key
5432 - operator
5433 properties:
5434 key:
5435 description: The label key that the selector applies to.
5436 type: string
5437 operator:
5438 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
5439 type: string
5440 values:
5441 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
5442 type: array
5443 items:
5444 type: string
5445 weight:
5446 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
5447 type: integer
5448 format: int32
5449 requiredDuringSchedulingIgnoredDuringExecution:
5450 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
5451 type: object
5452 required:
5453 - nodeSelectorTerms
5454 properties:
5455 nodeSelectorTerms:
5456 description: Required. A list of node selector terms. The terms are ORed.
5457 type: array
5458 items:
5459 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
5460 type: object
5461 properties:
5462 matchExpressions:
5463 description: A list of node selector requirements by node's labels.
5464 type: array
5465 items:
5466 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5467 type: object
5468 required:
5469 - key
5470 - operator
5471 properties:
5472 key:
5473 description: The label key that the selector applies to.
5474 type: string
5475 operator:
5476 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
5477 type: string
5478 values:
5479 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
5480 type: array
5481 items:
5482 type: string
5483 matchFields:
5484 description: A list of node selector requirements by node's fields.
5485 type: array
5486 items:
5487 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5488 type: object
5489 required:
5490 - key
5491 - operator
5492 properties:
5493 key:
5494 description: The label key that the selector applies to.
5495 type: string
5496 operator:
5497 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
5498 type: string
5499 values:
5500 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
5501 type: array
5502 items:
5503 type: string
5504 podAffinity:
5505 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
5506 type: object
5507 properties:
5508 preferredDuringSchedulingIgnoredDuringExecution:
5509 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
5510 type: array
5511 items:
5512 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
5513 type: object
5514 required:
5515 - podAffinityTerm
5516 - weight
5517 properties:
5518 podAffinityTerm:
5519 description: Required. A pod affinity term, associated with the corresponding weight.
5520 type: object
5521 required:
5522 - topologyKey
5523 properties:
5524 labelSelector:
5525 description: A label query over a set of resources, in this case pods.
5526 type: object
5527 properties:
5528 matchExpressions:
5529 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5530 type: array
5531 items:
5532 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5533 type: object
5534 required:
5535 - key
5536 - operator
5537 properties:
5538 key:
5539 description: key is the label key that the selector applies to.
5540 type: string
5541 operator:
5542 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
5543 type: string
5544 values:
5545 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
5546 type: array
5547 items:
5548 type: string
5549 matchLabels:
5550 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
5551 type: object
5552 additionalProperties:
5553 type: string
5554 namespaceSelector:
5555 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
5556 type: object
5557 properties:
5558 matchExpressions:
5559 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5560 type: array
5561 items:
5562 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5563 type: object
5564 required:
5565 - key
5566 - operator
5567 properties:
5568 key:
5569 description: key is the label key that the selector applies to.
5570 type: string
5571 operator:
5572 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
5573 type: string
5574 values:
5575 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
5576 type: array
5577 items:
5578 type: string
5579 matchLabels:
5580 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
5581 type: object
5582 additionalProperties:
5583 type: string
5584 namespaces:
5585 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
5586 type: array
5587 items:
5588 type: string
5589 topologyKey:
5590 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
5591 type: string
5592 weight:
5593 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
5594 type: integer
5595 format: int32
5596 requiredDuringSchedulingIgnoredDuringExecution:
5597 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
5598 type: array
5599 items:
5600 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
5601 type: object
5602 required:
5603 - topologyKey
5604 properties:
5605 labelSelector:
5606 description: A label query over a set of resources, in this case pods.
5607 type: object
5608 properties:
5609 matchExpressions:
5610 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5611 type: array
5612 items:
5613 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5614 type: object
5615 required:
5616 - key
5617 - operator
5618 properties:
5619 key:
5620 description: key is the label key that the selector applies to.
5621 type: string
5622 operator:
5623 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
5624 type: string
5625 values:
5626 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
5627 type: array
5628 items:
5629 type: string
5630 matchLabels:
5631 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
5632 type: object
5633 additionalProperties:
5634 type: string
5635 namespaceSelector:
5636 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
5637 type: object
5638 properties:
5639 matchExpressions:
5640 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5641 type: array
5642 items:
5643 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5644 type: object
5645 required:
5646 - key
5647 - operator
5648 properties:
5649 key:
5650 description: key is the label key that the selector applies to.
5651 type: string
5652 operator:
5653 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
5654 type: string
5655 values:
5656 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
5657 type: array
5658 items:
5659 type: string
5660 matchLabels:
5661 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
5662 type: object
5663 additionalProperties:
5664 type: string
5665 namespaces:
5666 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
5667 type: array
5668 items:
5669 type: string
5670 topologyKey:
5671 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
5672 type: string
5673 podAntiAffinity:
5674 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
5675 type: object
5676 properties:
5677 preferredDuringSchedulingIgnoredDuringExecution:
5678 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
5679 type: array
5680 items:
5681 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
5682 type: object
5683 required:
5684 - podAffinityTerm
5685 - weight
5686 properties:
5687 podAffinityTerm:
5688 description: Required. A pod affinity term, associated with the corresponding weight.
5689 type: object
5690 required:
5691 - topologyKey
5692 properties:
5693 labelSelector:
5694 description: A label query over a set of resources, in this case pods.
5695 type: object
5696 properties:
5697 matchExpressions:
5698 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5699 type: array
5700 items:
5701 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5702 type: object
5703 required:
5704 - key
5705 - operator
5706 properties:
5707 key:
5708 description: key is the label key that the selector applies to.
5709 type: string
5710 operator:
5711 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
5712 type: string
5713 values:
5714 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
5715 type: array
5716 items:
5717 type: string
5718 matchLabels:
5719 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
5720 type: object
5721 additionalProperties:
5722 type: string
5723 namespaceSelector:
5724 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
5725 type: object
5726 properties:
5727 matchExpressions:
5728 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5729 type: array
5730 items:
5731 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5732 type: object
5733 required:
5734 - key
5735 - operator
5736 properties:
5737 key:
5738 description: key is the label key that the selector applies to.
5739 type: string
5740 operator:
5741 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
5742 type: string
5743 values:
5744 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
5745 type: array
5746 items:
5747 type: string
5748 matchLabels:
5749 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
5750 type: object
5751 additionalProperties:
5752 type: string
5753 namespaces:
5754 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
5755 type: array
5756 items:
5757 type: string
5758 topologyKey:
5759 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
5760 type: string
5761 weight:
5762 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
5763 type: integer
5764 format: int32
5765 requiredDuringSchedulingIgnoredDuringExecution:
5766 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
5767 type: array
5768 items:
5769 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
5770 type: object
5771 required:
5772 - topologyKey
5773 properties:
5774 labelSelector:
5775 description: A label query over a set of resources, in this case pods.
5776 type: object
5777 properties:
5778 matchExpressions:
5779 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5780 type: array
5781 items:
5782 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5783 type: object
5784 required:
5785 - key
5786 - operator
5787 properties:
5788 key:
5789 description: key is the label key that the selector applies to.
5790 type: string
5791 operator:
5792 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
5793 type: string
5794 values:
5795 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
5796 type: array
5797 items:
5798 type: string
5799 matchLabels:
5800 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
5801 type: object
5802 additionalProperties:
5803 type: string
5804 namespaceSelector:
5805 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
5806 type: object
5807 properties:
5808 matchExpressions:
5809 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5810 type: array
5811 items:
5812 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5813 type: object
5814 required:
5815 - key
5816 - operator
5817 properties:
5818 key:
5819 description: key is the label key that the selector applies to.
5820 type: string
5821 operator:
5822 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
5823 type: string
5824 values:
5825 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
5826 type: array
5827 items:
5828 type: string
5829 matchLabels:
5830 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
5831 type: object
5832 additionalProperties:
5833 type: string
5834 namespaces:
5835 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
5836 type: array
5837 items:
5838 type: string
5839 topologyKey:
5840 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
5841 type: string
5842 nodeSelector:
5843 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
5844 type: object
5845 additionalProperties:
5846 type: string
5847 priorityClassName:
5848 description: If specified, the pod's priorityClassName.
5849 type: string
5850 serviceAccountName:
5851 description: If specified, the pod's service account
5852 type: string
5853 tolerations:
5854 description: If specified, the pod's tolerations.
5855 type: array
5856 items:
5857 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
5858 type: object
5859 properties:
5860 effect:
5861 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
5862 type: string
5863 key:
5864 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
5865 type: string
5866 operator:
5867 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
5868 type: string
5869 tolerationSeconds:
5870 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
5871 type: integer
5872 format: int64
5873 value:
5874 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
5875 type: string
5876 serviceType:
5877 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
5878 type: string
5879 selector:
5880 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
5881 type: object
5882 properties:
5883 dnsNames:
5884 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
5885 type: array
5886 items:
5887 type: string
5888 dnsZones:
5889 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
5890 type: array
5891 items:
5892 type: string
5893 matchLabels:
5894 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
5895 type: object
5896 additionalProperties:
5897 type: string
5898 token:
5899 description: The ACME challenge token for this challenge. This is the raw value returned from the ACME server.
5900 type: string
5901 type:
5902 description: The type of ACME challenge this resource represents. One of "HTTP-01" or "DNS-01".
5903 type: string
5904 enum:
5905 - HTTP-01
5906 - DNS-01
5907 url:
5908 description: The URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge.
5909 type: string
5910 wildcard:
5911 description: wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'.
5912 type: boolean
5913 status:
5914 type: object
5915 properties:
5916 presented:
5917 description: presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured).
5918 type: boolean
5919 processing:
5920 description: Used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action.
5921 type: boolean
5922 reason:
5923 description: Contains human readable information on why the Challenge is in the current state.
5924 type: string
5925 state:
5926 description: Contains the current 'state' of the challenge. If not set, the state of the challenge is unknown.
5927 type: string
5928 enum:
5929 - valid
5930 - ready
5931 - pending
5932 - processing
5933 - invalid
5934 - expired
5935 - errored
5936 served: true
5937 storage: true
5938 subresources:
5939 status: {}
5940---
5941# Source: cert-manager/templates/templates.out
5942apiVersion: apiextensions.k8s.io/v1
5943kind: CustomResourceDefinition
5944metadata:
5945 name: clusterissuers.cert-manager.io
5946 annotations:
5947 cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
5948 labels:
5949 app: 'cert-manager'
5950 app.kubernetes.io/name: 'cert-manager'
5951 app.kubernetes.io/instance: 'cert-manager'
5952 # Generated labels
5953 app.kubernetes.io/version: "v1.5.4"
5954spec:
5955 group: cert-manager.io
5956 names:
5957 kind: ClusterIssuer
5958 listKind: ClusterIssuerList
5959 plural: clusterissuers
5960 singular: clusterissuer
5961 categories:
5962 - cert-manager
5963 scope: Cluster
5964 conversion:
5965 # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
5966 strategy: Webhook
5967 # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
5968 webhook:
5969 # We don't actually support `v1beta1` but is listed here as it is a
5970 # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The
5971 # API server reads the supported versions in order, so _should always_
5972 # attempt a `v1` request which is understood by the cert-manager webhook.
5973 # Any `v1beta1` request will return an error and fail closed for that
5974 # resource (the whole object request is rejected).
5975 # When we no longer support v1.16 we can remove `v1beta1` from this list.
5976 conversionReviewVersions: ["v1", "v1beta1"]
5977 clientConfig:
5978 #
5979 service:
5980 name: 'cert-manager-webhook'
5981 namespace: "cert-manager"
5982 path: /convert
5983 #
5984 versions:
5985 - name: v1alpha2
5986 subresources:
5987 status: {}
5988 additionalPrinterColumns:
5989 - jsonPath: .status.conditions[?(@.type=="Ready")].status
5990 name: Ready
5991 type: string
5992 - jsonPath: .status.conditions[?(@.type=="Ready")].message
5993 name: Status
5994 priority: 1
5995 type: string
5996 - jsonPath: .metadata.creationTimestamp
5997 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
5998 name: Age
5999 type: date
6000 schema:
6001 openAPIV3Schema:
6002 description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent.
6003 type: object
6004 properties:
6005 apiVersion:
6006 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
6007 type: string
6008 kind:
6009 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
6010 type: string
6011 metadata:
6012 type: object
6013 spec:
6014 description: Desired state of the ClusterIssuer resource.
6015 type: object
6016 properties:
6017 acme:
6018 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
6019 type: object
6020 required:
6021 - privateKeySecretRef
6022 - server
6023 properties:
6024 disableAccountKeyGeneration:
6025 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
6026 type: boolean
6027 email:
6028 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
6029 type: string
6030 enableDurationFeature:
6031 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
6032 type: boolean
6033 externalAccountBinding:
6034 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
6035 type: object
6036 required:
6037 - keyID
6038 - keySecretRef
6039 properties:
6040 keyAlgorithm:
6041 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
6042 type: string
6043 enum:
6044 - HS256
6045 - HS384
6046 - HS512
6047 keyID:
6048 description: keyID is the ID of the CA key that the External Account is bound to.
6049 type: string
6050 keySecretRef:
6051 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
6052 type: object
6053 required:
6054 - name
6055 properties:
6056 key:
6057 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6058 type: string
6059 name:
6060 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6061 type: string
6062 preferredChain:
6063 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
6064 type: string
6065 maxLength: 64
6066 privateKeySecretRef:
6067 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
6068 type: object
6069 required:
6070 - name
6071 properties:
6072 key:
6073 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6074 type: string
6075 name:
6076 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6077 type: string
6078 server:
6079 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
6080 type: string
6081 skipTLSVerify:
6082 description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
6083 type: boolean
6084 solvers:
6085 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
6086 type: array
6087 items:
6088 description: Configures an issuer to solve challenges using the specified options. Only one of HTTP01 or DNS01 may be provided.
6089 type: object
6090 properties:
6091 dns01:
6092 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
6093 type: object
6094 properties:
6095 acmedns:
6096 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
6097 type: object
6098 required:
6099 - accountSecretRef
6100 - host
6101 properties:
6102 accountSecretRef:
6103 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
6104 type: object
6105 required:
6106 - name
6107 properties:
6108 key:
6109 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6110 type: string
6111 name:
6112 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6113 type: string
6114 host:
6115 type: string
6116 akamai:
6117 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
6118 type: object
6119 required:
6120 - accessTokenSecretRef
6121 - clientSecretSecretRef
6122 - clientTokenSecretRef
6123 - serviceConsumerDomain
6124 properties:
6125 accessTokenSecretRef:
6126 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
6127 type: object
6128 required:
6129 - name
6130 properties:
6131 key:
6132 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6133 type: string
6134 name:
6135 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6136 type: string
6137 clientSecretSecretRef:
6138 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
6139 type: object
6140 required:
6141 - name
6142 properties:
6143 key:
6144 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6145 type: string
6146 name:
6147 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6148 type: string
6149 clientTokenSecretRef:
6150 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
6151 type: object
6152 required:
6153 - name
6154 properties:
6155 key:
6156 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6157 type: string
6158 name:
6159 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6160 type: string
6161 serviceConsumerDomain:
6162 type: string
6163 azuredns:
6164 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
6165 type: object
6166 required:
6167 - resourceGroupName
6168 - subscriptionID
6169 properties:
6170 clientID:
6171 description: if both this and ClientSecret are left unset MSI will be used
6172 type: string
6173 clientSecretSecretRef:
6174 description: if both this and ClientID are left unset MSI will be used
6175 type: object
6176 required:
6177 - name
6178 properties:
6179 key:
6180 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6181 type: string
6182 name:
6183 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6184 type: string
6185 environment:
6186 type: string
6187 enum:
6188 - AzurePublicCloud
6189 - AzureChinaCloud
6190 - AzureGermanCloud
6191 - AzureUSGovernmentCloud
6192 hostedZoneName:
6193 type: string
6194 resourceGroupName:
6195 type: string
6196 subscriptionID:
6197 type: string
6198 tenantID:
6199 description: when specifying ClientID and ClientSecret then this field is also needed
6200 type: string
6201 clouddns:
6202 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
6203 type: object
6204 required:
6205 - project
6206 properties:
6207 hostedZoneName:
6208 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
6209 type: string
6210 project:
6211 type: string
6212 serviceAccountSecretRef:
6213 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
6214 type: object
6215 required:
6216 - name
6217 properties:
6218 key:
6219 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6220 type: string
6221 name:
6222 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6223 type: string
6224 cloudflare:
6225 description: Use the Cloudflare API to manage DNS01 challenge records.
6226 type: object
6227 properties:
6228 apiKeySecretRef:
6229 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
6230 type: object
6231 required:
6232 - name
6233 properties:
6234 key:
6235 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6236 type: string
6237 name:
6238 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6239 type: string
6240 apiTokenSecretRef:
6241 description: API token used to authenticate with Cloudflare.
6242 type: object
6243 required:
6244 - name
6245 properties:
6246 key:
6247 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6248 type: string
6249 name:
6250 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6251 type: string
6252 email:
6253 description: Email of the account, only required when using API key based authentication.
6254 type: string
6255 cnameStrategy:
6256 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
6257 type: string
6258 enum:
6259 - None
6260 - Follow
6261 digitalocean:
6262 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
6263 type: object
6264 required:
6265 - tokenSecretRef
6266 properties:
6267 tokenSecretRef:
6268 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
6269 type: object
6270 required:
6271 - name
6272 properties:
6273 key:
6274 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6275 type: string
6276 name:
6277 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6278 type: string
6279 rfc2136:
6280 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
6281 type: object
6282 required:
6283 - nameserver
6284 properties:
6285 nameserver:
6286 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
6287 type: string
6288 tsigAlgorithm:
6289 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
6290 type: string
6291 tsigKeyName:
6292 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
6293 type: string
6294 tsigSecretSecretRef:
6295 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
6296 type: object
6297 required:
6298 - name
6299 properties:
6300 key:
6301 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6302 type: string
6303 name:
6304 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6305 type: string
6306 route53:
6307 description: Use the AWS Route53 API to manage DNS01 challenge records.
6308 type: object
6309 required:
6310 - region
6311 properties:
6312 accessKeyID:
6313 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
6314 type: string
6315 hostedZoneID:
6316 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
6317 type: string
6318 region:
6319 description: Always set the region when using AccessKeyID and SecretAccessKey
6320 type: string
6321 role:
6322 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
6323 type: string
6324 secretAccessKeySecretRef:
6325 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
6326 type: object
6327 required:
6328 - name
6329 properties:
6330 key:
6331 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6332 type: string
6333 name:
6334 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6335 type: string
6336 webhook:
6337 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
6338 type: object
6339 required:
6340 - groupName
6341 - solverName
6342 properties:
6343 config:
6344 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
6345 x-kubernetes-preserve-unknown-fields: true
6346 groupName:
6347 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
6348 type: string
6349 solverName:
6350 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
6351 type: string
6352 http01:
6353 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
6354 type: object
6355 properties:
6356 gatewayHTTPRoute:
6357 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
6358 type: object
6359 properties:
6360 labels:
6361 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
6362 type: object
6363 additionalProperties:
6364 type: string
6365 serviceType:
6366 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
6367 type: string
6368 ingress:
6369 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
6370 type: object
6371 properties:
6372 class:
6373 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
6374 type: string
6375 ingressTemplate:
6376 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges
6377 type: object
6378 properties:
6379 metadata:
6380 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
6381 type: object
6382 properties:
6383 annotations:
6384 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
6385 type: object
6386 additionalProperties:
6387 type: string
6388 labels:
6389 description: Labels that should be added to the created ACME HTTP01 solver ingress.
6390 type: object
6391 additionalProperties:
6392 type: string
6393 name:
6394 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
6395 type: string
6396 podTemplate:
6397 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
6398 type: object
6399 properties:
6400 metadata:
6401 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
6402 type: object
6403 properties:
6404 annotations:
6405 description: Annotations that should be added to the create ACME HTTP01 solver pods.
6406 type: object
6407 additionalProperties:
6408 type: string
6409 labels:
6410 description: Labels that should be added to the created ACME HTTP01 solver pods.
6411 type: object
6412 additionalProperties:
6413 type: string
6414 spec:
6415 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
6416 type: object
6417 properties:
6418 affinity:
6419 description: If specified, the pod's scheduling constraints
6420 type: object
6421 properties:
6422 nodeAffinity:
6423 description: Describes node affinity scheduling rules for the pod.
6424 type: object
6425 properties:
6426 preferredDuringSchedulingIgnoredDuringExecution:
6427 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
6428 type: array
6429 items:
6430 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
6431 type: object
6432 required:
6433 - preference
6434 - weight
6435 properties:
6436 preference:
6437 description: A node selector term, associated with the corresponding weight.
6438 type: object
6439 properties:
6440 matchExpressions:
6441 description: A list of node selector requirements by node's labels.
6442 type: array
6443 items:
6444 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6445 type: object
6446 required:
6447 - key
6448 - operator
6449 properties:
6450 key:
6451 description: The label key that the selector applies to.
6452 type: string
6453 operator:
6454 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
6455 type: string
6456 values:
6457 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
6458 type: array
6459 items:
6460 type: string
6461 matchFields:
6462 description: A list of node selector requirements by node's fields.
6463 type: array
6464 items:
6465 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6466 type: object
6467 required:
6468 - key
6469 - operator
6470 properties:
6471 key:
6472 description: The label key that the selector applies to.
6473 type: string
6474 operator:
6475 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
6476 type: string
6477 values:
6478 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
6479 type: array
6480 items:
6481 type: string
6482 weight:
6483 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
6484 type: integer
6485 format: int32
6486 requiredDuringSchedulingIgnoredDuringExecution:
6487 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
6488 type: object
6489 required:
6490 - nodeSelectorTerms
6491 properties:
6492 nodeSelectorTerms:
6493 description: Required. A list of node selector terms. The terms are ORed.
6494 type: array
6495 items:
6496 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
6497 type: object
6498 properties:
6499 matchExpressions:
6500 description: A list of node selector requirements by node's labels.
6501 type: array
6502 items:
6503 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6504 type: object
6505 required:
6506 - key
6507 - operator
6508 properties:
6509 key:
6510 description: The label key that the selector applies to.
6511 type: string
6512 operator:
6513 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
6514 type: string
6515 values:
6516 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
6517 type: array
6518 items:
6519 type: string
6520 matchFields:
6521 description: A list of node selector requirements by node's fields.
6522 type: array
6523 items:
6524 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6525 type: object
6526 required:
6527 - key
6528 - operator
6529 properties:
6530 key:
6531 description: The label key that the selector applies to.
6532 type: string
6533 operator:
6534 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
6535 type: string
6536 values:
6537 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
6538 type: array
6539 items:
6540 type: string
6541 podAffinity:
6542 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
6543 type: object
6544 properties:
6545 preferredDuringSchedulingIgnoredDuringExecution:
6546 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
6547 type: array
6548 items:
6549 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
6550 type: object
6551 required:
6552 - podAffinityTerm
6553 - weight
6554 properties:
6555 podAffinityTerm:
6556 description: Required. A pod affinity term, associated with the corresponding weight.
6557 type: object
6558 required:
6559 - topologyKey
6560 properties:
6561 labelSelector:
6562 description: A label query over a set of resources, in this case pods.
6563 type: object
6564 properties:
6565 matchExpressions:
6566 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6567 type: array
6568 items:
6569 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6570 type: object
6571 required:
6572 - key
6573 - operator
6574 properties:
6575 key:
6576 description: key is the label key that the selector applies to.
6577 type: string
6578 operator:
6579 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
6580 type: string
6581 values:
6582 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
6583 type: array
6584 items:
6585 type: string
6586 matchLabels:
6587 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
6588 type: object
6589 additionalProperties:
6590 type: string
6591 namespaceSelector:
6592 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
6593 type: object
6594 properties:
6595 matchExpressions:
6596 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6597 type: array
6598 items:
6599 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6600 type: object
6601 required:
6602 - key
6603 - operator
6604 properties:
6605 key:
6606 description: key is the label key that the selector applies to.
6607 type: string
6608 operator:
6609 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
6610 type: string
6611 values:
6612 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
6613 type: array
6614 items:
6615 type: string
6616 matchLabels:
6617 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
6618 type: object
6619 additionalProperties:
6620 type: string
6621 namespaces:
6622 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
6623 type: array
6624 items:
6625 type: string
6626 topologyKey:
6627 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
6628 type: string
6629 weight:
6630 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
6631 type: integer
6632 format: int32
6633 requiredDuringSchedulingIgnoredDuringExecution:
6634 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
6635 type: array
6636 items:
6637 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
6638 type: object
6639 required:
6640 - topologyKey
6641 properties:
6642 labelSelector:
6643 description: A label query over a set of resources, in this case pods.
6644 type: object
6645 properties:
6646 matchExpressions:
6647 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6648 type: array
6649 items:
6650 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6651 type: object
6652 required:
6653 - key
6654 - operator
6655 properties:
6656 key:
6657 description: key is the label key that the selector applies to.
6658 type: string
6659 operator:
6660 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
6661 type: string
6662 values:
6663 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
6664 type: array
6665 items:
6666 type: string
6667 matchLabels:
6668 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
6669 type: object
6670 additionalProperties:
6671 type: string
6672 namespaceSelector:
6673 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
6674 type: object
6675 properties:
6676 matchExpressions:
6677 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6678 type: array
6679 items:
6680 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6681 type: object
6682 required:
6683 - key
6684 - operator
6685 properties:
6686 key:
6687 description: key is the label key that the selector applies to.
6688 type: string
6689 operator:
6690 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
6691 type: string
6692 values:
6693 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
6694 type: array
6695 items:
6696 type: string
6697 matchLabels:
6698 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
6699 type: object
6700 additionalProperties:
6701 type: string
6702 namespaces:
6703 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
6704 type: array
6705 items:
6706 type: string
6707 topologyKey:
6708 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
6709 type: string
6710 podAntiAffinity:
6711 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
6712 type: object
6713 properties:
6714 preferredDuringSchedulingIgnoredDuringExecution:
6715 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
6716 type: array
6717 items:
6718 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
6719 type: object
6720 required:
6721 - podAffinityTerm
6722 - weight
6723 properties:
6724 podAffinityTerm:
6725 description: Required. A pod affinity term, associated with the corresponding weight.
6726 type: object
6727 required:
6728 - topologyKey
6729 properties:
6730 labelSelector:
6731 description: A label query over a set of resources, in this case pods.
6732 type: object
6733 properties:
6734 matchExpressions:
6735 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6736 type: array
6737 items:
6738 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6739 type: object
6740 required:
6741 - key
6742 - operator
6743 properties:
6744 key:
6745 description: key is the label key that the selector applies to.
6746 type: string
6747 operator:
6748 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
6749 type: string
6750 values:
6751 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
6752 type: array
6753 items:
6754 type: string
6755 matchLabels:
6756 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
6757 type: object
6758 additionalProperties:
6759 type: string
6760 namespaceSelector:
6761 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
6762 type: object
6763 properties:
6764 matchExpressions:
6765 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6766 type: array
6767 items:
6768 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6769 type: object
6770 required:
6771 - key
6772 - operator
6773 properties:
6774 key:
6775 description: key is the label key that the selector applies to.
6776 type: string
6777 operator:
6778 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
6779 type: string
6780 values:
6781 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
6782 type: array
6783 items:
6784 type: string
6785 matchLabels:
6786 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
6787 type: object
6788 additionalProperties:
6789 type: string
6790 namespaces:
6791 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
6792 type: array
6793 items:
6794 type: string
6795 topologyKey:
6796 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
6797 type: string
6798 weight:
6799 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
6800 type: integer
6801 format: int32
6802 requiredDuringSchedulingIgnoredDuringExecution:
6803 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
6804 type: array
6805 items:
6806 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
6807 type: object
6808 required:
6809 - topologyKey
6810 properties:
6811 labelSelector:
6812 description: A label query over a set of resources, in this case pods.
6813 type: object
6814 properties:
6815 matchExpressions:
6816 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6817 type: array
6818 items:
6819 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6820 type: object
6821 required:
6822 - key
6823 - operator
6824 properties:
6825 key:
6826 description: key is the label key that the selector applies to.
6827 type: string
6828 operator:
6829 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
6830 type: string
6831 values:
6832 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
6833 type: array
6834 items:
6835 type: string
6836 matchLabels:
6837 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
6838 type: object
6839 additionalProperties:
6840 type: string
6841 namespaceSelector:
6842 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
6843 type: object
6844 properties:
6845 matchExpressions:
6846 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6847 type: array
6848 items:
6849 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6850 type: object
6851 required:
6852 - key
6853 - operator
6854 properties:
6855 key:
6856 description: key is the label key that the selector applies to.
6857 type: string
6858 operator:
6859 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
6860 type: string
6861 values:
6862 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
6863 type: array
6864 items:
6865 type: string
6866 matchLabels:
6867 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
6868 type: object
6869 additionalProperties:
6870 type: string
6871 namespaces:
6872 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
6873 type: array
6874 items:
6875 type: string
6876 topologyKey:
6877 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
6878 type: string
6879 nodeSelector:
6880 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
6881 type: object
6882 additionalProperties:
6883 type: string
6884 priorityClassName:
6885 description: If specified, the pod's priorityClassName.
6886 type: string
6887 serviceAccountName:
6888 description: If specified, the pod's service account
6889 type: string
6890 tolerations:
6891 description: If specified, the pod's tolerations.
6892 type: array
6893 items:
6894 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
6895 type: object
6896 properties:
6897 effect:
6898 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
6899 type: string
6900 key:
6901 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
6902 type: string
6903 operator:
6904 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
6905 type: string
6906 tolerationSeconds:
6907 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
6908 type: integer
6909 format: int64
6910 value:
6911 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
6912 type: string
6913 serviceType:
6914 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
6915 type: string
6916 selector:
6917 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
6918 type: object
6919 properties:
6920 dnsNames:
6921 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
6922 type: array
6923 items:
6924 type: string
6925 dnsZones:
6926 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
6927 type: array
6928 items:
6929 type: string
6930 matchLabels:
6931 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
6932 type: object
6933 additionalProperties:
6934 type: string
6935 ca:
6936 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
6937 type: object
6938 required:
6939 - secretName
6940 properties:
6941 crlDistributionPoints:
6942 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
6943 type: array
6944 items:
6945 type: string
6946 ocspServers:
6947 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
6948 type: array
6949 items:
6950 type: string
6951 secretName:
6952 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
6953 type: string
6954 selfSigned:
6955 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
6956 type: object
6957 properties:
6958 crlDistributionPoints:
6959 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
6960 type: array
6961 items:
6962 type: string
6963 vault:
6964 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
6965 type: object
6966 required:
6967 - auth
6968 - path
6969 - server
6970 properties:
6971 auth:
6972 description: Auth configures how cert-manager authenticates with the Vault server.
6973 type: object
6974 properties:
6975 appRole:
6976 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
6977 type: object
6978 required:
6979 - path
6980 - roleId
6981 - secretRef
6982 properties:
6983 path:
6984 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
6985 type: string
6986 roleId:
6987 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
6988 type: string
6989 secretRef:
6990 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
6991 type: object
6992 required:
6993 - name
6994 properties:
6995 key:
6996 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6997 type: string
6998 name:
6999 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7000 type: string
7001 kubernetes:
7002 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
7003 type: object
7004 required:
7005 - role
7006 - secretRef
7007 properties:
7008 mountPath:
7009 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
7010 type: string
7011 role:
7012 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
7013 type: string
7014 secretRef:
7015 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
7016 type: object
7017 required:
7018 - name
7019 properties:
7020 key:
7021 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7022 type: string
7023 name:
7024 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7025 type: string
7026 tokenSecretRef:
7027 description: TokenSecretRef authenticates with Vault by presenting a token.
7028 type: object
7029 required:
7030 - name
7031 properties:
7032 key:
7033 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7034 type: string
7035 name:
7036 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7037 type: string
7038 caBundle:
7039 description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
7040 type: string
7041 format: byte
7042 namespace:
7043 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
7044 type: string
7045 path:
7046 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
7047 type: string
7048 server:
7049 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
7050 type: string
7051 venafi:
7052 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
7053 type: object
7054 required:
7055 - zone
7056 properties:
7057 cloud:
7058 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
7059 type: object
7060 required:
7061 - apiTokenSecretRef
7062 properties:
7063 apiTokenSecretRef:
7064 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
7065 type: object
7066 required:
7067 - name
7068 properties:
7069 key:
7070 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7071 type: string
7072 name:
7073 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7074 type: string
7075 url:
7076 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
7077 type: string
7078 tpp:
7079 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
7080 type: object
7081 required:
7082 - credentialsRef
7083 - url
7084 properties:
7085 caBundle:
7086 description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
7087 type: string
7088 format: byte
7089 credentialsRef:
7090 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
7091 type: object
7092 required:
7093 - name
7094 properties:
7095 name:
7096 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7097 type: string
7098 url:
7099 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
7100 type: string
7101 zone:
7102 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
7103 type: string
7104 status:
7105 description: Status of the ClusterIssuer. This is set and managed automatically.
7106 type: object
7107 properties:
7108 acme:
7109 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
7110 type: object
7111 properties:
7112 lastRegisteredEmail:
7113 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
7114 type: string
7115 uri:
7116 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
7117 type: string
7118 conditions:
7119 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
7120 type: array
7121 items:
7122 description: IssuerCondition contains condition information for an Issuer.
7123 type: object
7124 required:
7125 - status
7126 - type
7127 properties:
7128 lastTransitionTime:
7129 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
7130 type: string
7131 format: date-time
7132 message:
7133 description: Message is a human readable description of the details of the last transition, complementing reason.
7134 type: string
7135 observedGeneration:
7136 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
7137 type: integer
7138 format: int64
7139 reason:
7140 description: Reason is a brief machine readable explanation for the condition's last transition.
7141 type: string
7142 status:
7143 description: Status of the condition, one of (`True`, `False`, `Unknown`).
7144 type: string
7145 enum:
7146 - "True"
7147 - "False"
7148 - Unknown
7149 type:
7150 description: Type of the condition, known values are (`Ready`).
7151 type: string
7152 served: true
7153 storage: false
7154 - name: v1alpha3
7155 subresources:
7156 status: {}
7157 additionalPrinterColumns:
7158 - jsonPath: .status.conditions[?(@.type=="Ready")].status
7159 name: Ready
7160 type: string
7161 - jsonPath: .status.conditions[?(@.type=="Ready")].message
7162 name: Status
7163 priority: 1
7164 type: string
7165 - jsonPath: .metadata.creationTimestamp
7166 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
7167 name: Age
7168 type: date
7169 schema:
7170 openAPIV3Schema:
7171 description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent.
7172 type: object
7173 properties:
7174 apiVersion:
7175 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
7176 type: string
7177 kind:
7178 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
7179 type: string
7180 metadata:
7181 type: object
7182 spec:
7183 description: Desired state of the ClusterIssuer resource.
7184 type: object
7185 properties:
7186 acme:
7187 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
7188 type: object
7189 required:
7190 - privateKeySecretRef
7191 - server
7192 properties:
7193 disableAccountKeyGeneration:
7194 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
7195 type: boolean
7196 email:
7197 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
7198 type: string
7199 enableDurationFeature:
7200 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
7201 type: boolean
7202 externalAccountBinding:
7203 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
7204 type: object
7205 required:
7206 - keyID
7207 - keySecretRef
7208 properties:
7209 keyAlgorithm:
7210 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
7211 type: string
7212 enum:
7213 - HS256
7214 - HS384
7215 - HS512
7216 keyID:
7217 description: keyID is the ID of the CA key that the External Account is bound to.
7218 type: string
7219 keySecretRef:
7220 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
7221 type: object
7222 required:
7223 - name
7224 properties:
7225 key:
7226 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7227 type: string
7228 name:
7229 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7230 type: string
7231 preferredChain:
7232 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
7233 type: string
7234 maxLength: 64
7235 privateKeySecretRef:
7236 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
7237 type: object
7238 required:
7239 - name
7240 properties:
7241 key:
7242 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7243 type: string
7244 name:
7245 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7246 type: string
7247 server:
7248 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
7249 type: string
7250 skipTLSVerify:
7251 description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
7252 type: boolean
7253 solvers:
7254 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
7255 type: array
7256 items:
7257 description: Configures an issuer to solve challenges using the specified options. Only one of HTTP01 or DNS01 may be provided.
7258 type: object
7259 properties:
7260 dns01:
7261 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
7262 type: object
7263 properties:
7264 acmedns:
7265 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
7266 type: object
7267 required:
7268 - accountSecretRef
7269 - host
7270 properties:
7271 accountSecretRef:
7272 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
7273 type: object
7274 required:
7275 - name
7276 properties:
7277 key:
7278 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7279 type: string
7280 name:
7281 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7282 type: string
7283 host:
7284 type: string
7285 akamai:
7286 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
7287 type: object
7288 required:
7289 - accessTokenSecretRef
7290 - clientSecretSecretRef
7291 - clientTokenSecretRef
7292 - serviceConsumerDomain
7293 properties:
7294 accessTokenSecretRef:
7295 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
7296 type: object
7297 required:
7298 - name
7299 properties:
7300 key:
7301 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7302 type: string
7303 name:
7304 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7305 type: string
7306 clientSecretSecretRef:
7307 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
7308 type: object
7309 required:
7310 - name
7311 properties:
7312 key:
7313 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7314 type: string
7315 name:
7316 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7317 type: string
7318 clientTokenSecretRef:
7319 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
7320 type: object
7321 required:
7322 - name
7323 properties:
7324 key:
7325 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7326 type: string
7327 name:
7328 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7329 type: string
7330 serviceConsumerDomain:
7331 type: string
7332 azuredns:
7333 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
7334 type: object
7335 required:
7336 - resourceGroupName
7337 - subscriptionID
7338 properties:
7339 clientID:
7340 description: if both this and ClientSecret are left unset MSI will be used
7341 type: string
7342 clientSecretSecretRef:
7343 description: if both this and ClientID are left unset MSI will be used
7344 type: object
7345 required:
7346 - name
7347 properties:
7348 key:
7349 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7350 type: string
7351 name:
7352 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7353 type: string
7354 environment:
7355 type: string
7356 enum:
7357 - AzurePublicCloud
7358 - AzureChinaCloud
7359 - AzureGermanCloud
7360 - AzureUSGovernmentCloud
7361 hostedZoneName:
7362 type: string
7363 resourceGroupName:
7364 type: string
7365 subscriptionID:
7366 type: string
7367 tenantID:
7368 description: when specifying ClientID and ClientSecret then this field is also needed
7369 type: string
7370 clouddns:
7371 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
7372 type: object
7373 required:
7374 - project
7375 properties:
7376 hostedZoneName:
7377 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
7378 type: string
7379 project:
7380 type: string
7381 serviceAccountSecretRef:
7382 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
7383 type: object
7384 required:
7385 - name
7386 properties:
7387 key:
7388 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7389 type: string
7390 name:
7391 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7392 type: string
7393 cloudflare:
7394 description: Use the Cloudflare API to manage DNS01 challenge records.
7395 type: object
7396 properties:
7397 apiKeySecretRef:
7398 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
7399 type: object
7400 required:
7401 - name
7402 properties:
7403 key:
7404 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7405 type: string
7406 name:
7407 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7408 type: string
7409 apiTokenSecretRef:
7410 description: API token used to authenticate with Cloudflare.
7411 type: object
7412 required:
7413 - name
7414 properties:
7415 key:
7416 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7417 type: string
7418 name:
7419 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7420 type: string
7421 email:
7422 description: Email of the account, only required when using API key based authentication.
7423 type: string
7424 cnameStrategy:
7425 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
7426 type: string
7427 enum:
7428 - None
7429 - Follow
7430 digitalocean:
7431 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
7432 type: object
7433 required:
7434 - tokenSecretRef
7435 properties:
7436 tokenSecretRef:
7437 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
7438 type: object
7439 required:
7440 - name
7441 properties:
7442 key:
7443 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7444 type: string
7445 name:
7446 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7447 type: string
7448 rfc2136:
7449 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
7450 type: object
7451 required:
7452 - nameserver
7453 properties:
7454 nameserver:
7455 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
7456 type: string
7457 tsigAlgorithm:
7458 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
7459 type: string
7460 tsigKeyName:
7461 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
7462 type: string
7463 tsigSecretSecretRef:
7464 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
7465 type: object
7466 required:
7467 - name
7468 properties:
7469 key:
7470 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7471 type: string
7472 name:
7473 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7474 type: string
7475 route53:
7476 description: Use the AWS Route53 API to manage DNS01 challenge records.
7477 type: object
7478 required:
7479 - region
7480 properties:
7481 accessKeyID:
7482 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
7483 type: string
7484 hostedZoneID:
7485 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
7486 type: string
7487 region:
7488 description: Always set the region when using AccessKeyID and SecretAccessKey
7489 type: string
7490 role:
7491 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
7492 type: string
7493 secretAccessKeySecretRef:
7494 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
7495 type: object
7496 required:
7497 - name
7498 properties:
7499 key:
7500 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7501 type: string
7502 name:
7503 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7504 type: string
7505 webhook:
7506 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
7507 type: object
7508 required:
7509 - groupName
7510 - solverName
7511 properties:
7512 config:
7513 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
7514 x-kubernetes-preserve-unknown-fields: true
7515 groupName:
7516 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
7517 type: string
7518 solverName:
7519 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
7520 type: string
7521 http01:
7522 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
7523 type: object
7524 properties:
7525 gatewayHTTPRoute:
7526 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
7527 type: object
7528 properties:
7529 labels:
7530 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
7531 type: object
7532 additionalProperties:
7533 type: string
7534 serviceType:
7535 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
7536 type: string
7537 ingress:
7538 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
7539 type: object
7540 properties:
7541 class:
7542 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
7543 type: string
7544 ingressTemplate:
7545 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges
7546 type: object
7547 properties:
7548 metadata:
7549 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
7550 type: object
7551 properties:
7552 annotations:
7553 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
7554 type: object
7555 additionalProperties:
7556 type: string
7557 labels:
7558 description: Labels that should be added to the created ACME HTTP01 solver ingress.
7559 type: object
7560 additionalProperties:
7561 type: string
7562 name:
7563 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
7564 type: string
7565 podTemplate:
7566 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
7567 type: object
7568 properties:
7569 metadata:
7570 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
7571 type: object
7572 properties:
7573 annotations:
7574 description: Annotations that should be added to the create ACME HTTP01 solver pods.
7575 type: object
7576 additionalProperties:
7577 type: string
7578 labels:
7579 description: Labels that should be added to the created ACME HTTP01 solver pods.
7580 type: object
7581 additionalProperties:
7582 type: string
7583 spec:
7584 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
7585 type: object
7586 properties:
7587 affinity:
7588 description: If specified, the pod's scheduling constraints
7589 type: object
7590 properties:
7591 nodeAffinity:
7592 description: Describes node affinity scheduling rules for the pod.
7593 type: object
7594 properties:
7595 preferredDuringSchedulingIgnoredDuringExecution:
7596 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
7597 type: array
7598 items:
7599 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
7600 type: object
7601 required:
7602 - preference
7603 - weight
7604 properties:
7605 preference:
7606 description: A node selector term, associated with the corresponding weight.
7607 type: object
7608 properties:
7609 matchExpressions:
7610 description: A list of node selector requirements by node's labels.
7611 type: array
7612 items:
7613 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7614 type: object
7615 required:
7616 - key
7617 - operator
7618 properties:
7619 key:
7620 description: The label key that the selector applies to.
7621 type: string
7622 operator:
7623 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
7624 type: string
7625 values:
7626 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
7627 type: array
7628 items:
7629 type: string
7630 matchFields:
7631 description: A list of node selector requirements by node's fields.
7632 type: array
7633 items:
7634 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7635 type: object
7636 required:
7637 - key
7638 - operator
7639 properties:
7640 key:
7641 description: The label key that the selector applies to.
7642 type: string
7643 operator:
7644 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
7645 type: string
7646 values:
7647 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
7648 type: array
7649 items:
7650 type: string
7651 weight:
7652 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
7653 type: integer
7654 format: int32
7655 requiredDuringSchedulingIgnoredDuringExecution:
7656 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
7657 type: object
7658 required:
7659 - nodeSelectorTerms
7660 properties:
7661 nodeSelectorTerms:
7662 description: Required. A list of node selector terms. The terms are ORed.
7663 type: array
7664 items:
7665 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
7666 type: object
7667 properties:
7668 matchExpressions:
7669 description: A list of node selector requirements by node's labels.
7670 type: array
7671 items:
7672 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7673 type: object
7674 required:
7675 - key
7676 - operator
7677 properties:
7678 key:
7679 description: The label key that the selector applies to.
7680 type: string
7681 operator:
7682 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
7683 type: string
7684 values:
7685 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
7686 type: array
7687 items:
7688 type: string
7689 matchFields:
7690 description: A list of node selector requirements by node's fields.
7691 type: array
7692 items:
7693 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7694 type: object
7695 required:
7696 - key
7697 - operator
7698 properties:
7699 key:
7700 description: The label key that the selector applies to.
7701 type: string
7702 operator:
7703 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
7704 type: string
7705 values:
7706 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
7707 type: array
7708 items:
7709 type: string
7710 podAffinity:
7711 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
7712 type: object
7713 properties:
7714 preferredDuringSchedulingIgnoredDuringExecution:
7715 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
7716 type: array
7717 items:
7718 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
7719 type: object
7720 required:
7721 - podAffinityTerm
7722 - weight
7723 properties:
7724 podAffinityTerm:
7725 description: Required. A pod affinity term, associated with the corresponding weight.
7726 type: object
7727 required:
7728 - topologyKey
7729 properties:
7730 labelSelector:
7731 description: A label query over a set of resources, in this case pods.
7732 type: object
7733 properties:
7734 matchExpressions:
7735 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
7736 type: array
7737 items:
7738 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7739 type: object
7740 required:
7741 - key
7742 - operator
7743 properties:
7744 key:
7745 description: key is the label key that the selector applies to.
7746 type: string
7747 operator:
7748 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
7749 type: string
7750 values:
7751 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
7752 type: array
7753 items:
7754 type: string
7755 matchLabels:
7756 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
7757 type: object
7758 additionalProperties:
7759 type: string
7760 namespaceSelector:
7761 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
7762 type: object
7763 properties:
7764 matchExpressions:
7765 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
7766 type: array
7767 items:
7768 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7769 type: object
7770 required:
7771 - key
7772 - operator
7773 properties:
7774 key:
7775 description: key is the label key that the selector applies to.
7776 type: string
7777 operator:
7778 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
7779 type: string
7780 values:
7781 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
7782 type: array
7783 items:
7784 type: string
7785 matchLabels:
7786 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
7787 type: object
7788 additionalProperties:
7789 type: string
7790 namespaces:
7791 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
7792 type: array
7793 items:
7794 type: string
7795 topologyKey:
7796 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
7797 type: string
7798 weight:
7799 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
7800 type: integer
7801 format: int32
7802 requiredDuringSchedulingIgnoredDuringExecution:
7803 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
7804 type: array
7805 items:
7806 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
7807 type: object
7808 required:
7809 - topologyKey
7810 properties:
7811 labelSelector:
7812 description: A label query over a set of resources, in this case pods.
7813 type: object
7814 properties:
7815 matchExpressions:
7816 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
7817 type: array
7818 items:
7819 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7820 type: object
7821 required:
7822 - key
7823 - operator
7824 properties:
7825 key:
7826 description: key is the label key that the selector applies to.
7827 type: string
7828 operator:
7829 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
7830 type: string
7831 values:
7832 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
7833 type: array
7834 items:
7835 type: string
7836 matchLabels:
7837 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
7838 type: object
7839 additionalProperties:
7840 type: string
7841 namespaceSelector:
7842 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
7843 type: object
7844 properties:
7845 matchExpressions:
7846 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
7847 type: array
7848 items:
7849 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7850 type: object
7851 required:
7852 - key
7853 - operator
7854 properties:
7855 key:
7856 description: key is the label key that the selector applies to.
7857 type: string
7858 operator:
7859 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
7860 type: string
7861 values:
7862 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
7863 type: array
7864 items:
7865 type: string
7866 matchLabels:
7867 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
7868 type: object
7869 additionalProperties:
7870 type: string
7871 namespaces:
7872 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
7873 type: array
7874 items:
7875 type: string
7876 topologyKey:
7877 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
7878 type: string
7879 podAntiAffinity:
7880 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
7881 type: object
7882 properties:
7883 preferredDuringSchedulingIgnoredDuringExecution:
7884 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
7885 type: array
7886 items:
7887 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
7888 type: object
7889 required:
7890 - podAffinityTerm
7891 - weight
7892 properties:
7893 podAffinityTerm:
7894 description: Required. A pod affinity term, associated with the corresponding weight.
7895 type: object
7896 required:
7897 - topologyKey
7898 properties:
7899 labelSelector:
7900 description: A label query over a set of resources, in this case pods.
7901 type: object
7902 properties:
7903 matchExpressions:
7904 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
7905 type: array
7906 items:
7907 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7908 type: object
7909 required:
7910 - key
7911 - operator
7912 properties:
7913 key:
7914 description: key is the label key that the selector applies to.
7915 type: string
7916 operator:
7917 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
7918 type: string
7919 values:
7920 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
7921 type: array
7922 items:
7923 type: string
7924 matchLabels:
7925 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
7926 type: object
7927 additionalProperties:
7928 type: string
7929 namespaceSelector:
7930 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
7931 type: object
7932 properties:
7933 matchExpressions:
7934 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
7935 type: array
7936 items:
7937 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7938 type: object
7939 required:
7940 - key
7941 - operator
7942 properties:
7943 key:
7944 description: key is the label key that the selector applies to.
7945 type: string
7946 operator:
7947 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
7948 type: string
7949 values:
7950 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
7951 type: array
7952 items:
7953 type: string
7954 matchLabels:
7955 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
7956 type: object
7957 additionalProperties:
7958 type: string
7959 namespaces:
7960 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
7961 type: array
7962 items:
7963 type: string
7964 topologyKey:
7965 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
7966 type: string
7967 weight:
7968 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
7969 type: integer
7970 format: int32
7971 requiredDuringSchedulingIgnoredDuringExecution:
7972 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
7973 type: array
7974 items:
7975 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
7976 type: object
7977 required:
7978 - topologyKey
7979 properties:
7980 labelSelector:
7981 description: A label query over a set of resources, in this case pods.
7982 type: object
7983 properties:
7984 matchExpressions:
7985 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
7986 type: array
7987 items:
7988 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7989 type: object
7990 required:
7991 - key
7992 - operator
7993 properties:
7994 key:
7995 description: key is the label key that the selector applies to.
7996 type: string
7997 operator:
7998 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
7999 type: string
8000 values:
8001 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
8002 type: array
8003 items:
8004 type: string
8005 matchLabels:
8006 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
8007 type: object
8008 additionalProperties:
8009 type: string
8010 namespaceSelector:
8011 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
8012 type: object
8013 properties:
8014 matchExpressions:
8015 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
8016 type: array
8017 items:
8018 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
8019 type: object
8020 required:
8021 - key
8022 - operator
8023 properties:
8024 key:
8025 description: key is the label key that the selector applies to.
8026 type: string
8027 operator:
8028 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
8029 type: string
8030 values:
8031 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
8032 type: array
8033 items:
8034 type: string
8035 matchLabels:
8036 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
8037 type: object
8038 additionalProperties:
8039 type: string
8040 namespaces:
8041 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
8042 type: array
8043 items:
8044 type: string
8045 topologyKey:
8046 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
8047 type: string
8048 nodeSelector:
8049 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
8050 type: object
8051 additionalProperties:
8052 type: string
8053 priorityClassName:
8054 description: If specified, the pod's priorityClassName.
8055 type: string
8056 serviceAccountName:
8057 description: If specified, the pod's service account
8058 type: string
8059 tolerations:
8060 description: If specified, the pod's tolerations.
8061 type: array
8062 items:
8063 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
8064 type: object
8065 properties:
8066 effect:
8067 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
8068 type: string
8069 key:
8070 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
8071 type: string
8072 operator:
8073 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
8074 type: string
8075 tolerationSeconds:
8076 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
8077 type: integer
8078 format: int64
8079 value:
8080 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
8081 type: string
8082 serviceType:
8083 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
8084 type: string
8085 selector:
8086 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
8087 type: object
8088 properties:
8089 dnsNames:
8090 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
8091 type: array
8092 items:
8093 type: string
8094 dnsZones:
8095 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
8096 type: array
8097 items:
8098 type: string
8099 matchLabels:
8100 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
8101 type: object
8102 additionalProperties:
8103 type: string
8104 ca:
8105 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
8106 type: object
8107 required:
8108 - secretName
8109 properties:
8110 crlDistributionPoints:
8111 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
8112 type: array
8113 items:
8114 type: string
8115 ocspServers:
8116 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
8117 type: array
8118 items:
8119 type: string
8120 secretName:
8121 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
8122 type: string
8123 selfSigned:
8124 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
8125 type: object
8126 properties:
8127 crlDistributionPoints:
8128 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
8129 type: array
8130 items:
8131 type: string
8132 vault:
8133 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
8134 type: object
8135 required:
8136 - auth
8137 - path
8138 - server
8139 properties:
8140 auth:
8141 description: Auth configures how cert-manager authenticates with the Vault server.
8142 type: object
8143 properties:
8144 appRole:
8145 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
8146 type: object
8147 required:
8148 - path
8149 - roleId
8150 - secretRef
8151 properties:
8152 path:
8153 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
8154 type: string
8155 roleId:
8156 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
8157 type: string
8158 secretRef:
8159 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
8160 type: object
8161 required:
8162 - name
8163 properties:
8164 key:
8165 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8166 type: string
8167 name:
8168 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8169 type: string
8170 kubernetes:
8171 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
8172 type: object
8173 required:
8174 - role
8175 - secretRef
8176 properties:
8177 mountPath:
8178 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
8179 type: string
8180 role:
8181 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
8182 type: string
8183 secretRef:
8184 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
8185 type: object
8186 required:
8187 - name
8188 properties:
8189 key:
8190 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8191 type: string
8192 name:
8193 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8194 type: string
8195 tokenSecretRef:
8196 description: TokenSecretRef authenticates with Vault by presenting a token.
8197 type: object
8198 required:
8199 - name
8200 properties:
8201 key:
8202 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8203 type: string
8204 name:
8205 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8206 type: string
8207 caBundle:
8208 description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
8209 type: string
8210 format: byte
8211 namespace:
8212 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
8213 type: string
8214 path:
8215 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
8216 type: string
8217 server:
8218 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
8219 type: string
8220 venafi:
8221 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
8222 type: object
8223 required:
8224 - zone
8225 properties:
8226 cloud:
8227 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
8228 type: object
8229 required:
8230 - apiTokenSecretRef
8231 properties:
8232 apiTokenSecretRef:
8233 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
8234 type: object
8235 required:
8236 - name
8237 properties:
8238 key:
8239 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8240 type: string
8241 name:
8242 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8243 type: string
8244 url:
8245 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
8246 type: string
8247 tpp:
8248 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
8249 type: object
8250 required:
8251 - credentialsRef
8252 - url
8253 properties:
8254 caBundle:
8255 description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
8256 type: string
8257 format: byte
8258 credentialsRef:
8259 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
8260 type: object
8261 required:
8262 - name
8263 properties:
8264 name:
8265 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8266 type: string
8267 url:
8268 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
8269 type: string
8270 zone:
8271 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
8272 type: string
8273 status:
8274 description: Status of the ClusterIssuer. This is set and managed automatically.
8275 type: object
8276 properties:
8277 acme:
8278 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
8279 type: object
8280 properties:
8281 lastRegisteredEmail:
8282 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
8283 type: string
8284 uri:
8285 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
8286 type: string
8287 conditions:
8288 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
8289 type: array
8290 items:
8291 description: IssuerCondition contains condition information for an Issuer.
8292 type: object
8293 required:
8294 - status
8295 - type
8296 properties:
8297 lastTransitionTime:
8298 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
8299 type: string
8300 format: date-time
8301 message:
8302 description: Message is a human readable description of the details of the last transition, complementing reason.
8303 type: string
8304 observedGeneration:
8305 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
8306 type: integer
8307 format: int64
8308 reason:
8309 description: Reason is a brief machine readable explanation for the condition's last transition.
8310 type: string
8311 status:
8312 description: Status of the condition, one of (`True`, `False`, `Unknown`).
8313 type: string
8314 enum:
8315 - "True"
8316 - "False"
8317 - Unknown
8318 type:
8319 description: Type of the condition, known values are (`Ready`).
8320 type: string
8321 served: true
8322 storage: false
8323 - name: v1beta1
8324 subresources:
8325 status: {}
8326 additionalPrinterColumns:
8327 - jsonPath: .status.conditions[?(@.type=="Ready")].status
8328 name: Ready
8329 type: string
8330 - jsonPath: .status.conditions[?(@.type=="Ready")].message
8331 name: Status
8332 priority: 1
8333 type: string
8334 - jsonPath: .metadata.creationTimestamp
8335 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
8336 name: Age
8337 type: date
8338 schema:
8339 openAPIV3Schema:
8340 description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent.
8341 type: object
8342 required:
8343 - spec
8344 properties:
8345 apiVersion:
8346 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
8347 type: string
8348 kind:
8349 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
8350 type: string
8351 metadata:
8352 type: object
8353 spec:
8354 description: Desired state of the ClusterIssuer resource.
8355 type: object
8356 properties:
8357 acme:
8358 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
8359 type: object
8360 required:
8361 - privateKeySecretRef
8362 - server
8363 properties:
8364 disableAccountKeyGeneration:
8365 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
8366 type: boolean
8367 email:
8368 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
8369 type: string
8370 enableDurationFeature:
8371 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
8372 type: boolean
8373 externalAccountBinding:
8374 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
8375 type: object
8376 required:
8377 - keyID
8378 - keySecretRef
8379 properties:
8380 keyAlgorithm:
8381 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
8382 type: string
8383 enum:
8384 - HS256
8385 - HS384
8386 - HS512
8387 keyID:
8388 description: keyID is the ID of the CA key that the External Account is bound to.
8389 type: string
8390 keySecretRef:
8391 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
8392 type: object
8393 required:
8394 - name
8395 properties:
8396 key:
8397 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8398 type: string
8399 name:
8400 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8401 type: string
8402 preferredChain:
8403 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
8404 type: string
8405 maxLength: 64
8406 privateKeySecretRef:
8407 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
8408 type: object
8409 required:
8410 - name
8411 properties:
8412 key:
8413 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8414 type: string
8415 name:
8416 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8417 type: string
8418 server:
8419 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
8420 type: string
8421 skipTLSVerify:
8422 description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
8423 type: boolean
8424 solvers:
8425 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
8426 type: array
8427 items:
8428 description: Configures an issuer to solve challenges using the specified options. Only one of HTTP01 or DNS01 may be provided.
8429 type: object
8430 properties:
8431 dns01:
8432 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
8433 type: object
8434 properties:
8435 acmeDNS:
8436 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
8437 type: object
8438 required:
8439 - accountSecretRef
8440 - host
8441 properties:
8442 accountSecretRef:
8443 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
8444 type: object
8445 required:
8446 - name
8447 properties:
8448 key:
8449 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8450 type: string
8451 name:
8452 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8453 type: string
8454 host:
8455 type: string
8456 akamai:
8457 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
8458 type: object
8459 required:
8460 - accessTokenSecretRef
8461 - clientSecretSecretRef
8462 - clientTokenSecretRef
8463 - serviceConsumerDomain
8464 properties:
8465 accessTokenSecretRef:
8466 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
8467 type: object
8468 required:
8469 - name
8470 properties:
8471 key:
8472 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8473 type: string
8474 name:
8475 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8476 type: string
8477 clientSecretSecretRef:
8478 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
8479 type: object
8480 required:
8481 - name
8482 properties:
8483 key:
8484 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8485 type: string
8486 name:
8487 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8488 type: string
8489 clientTokenSecretRef:
8490 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
8491 type: object
8492 required:
8493 - name
8494 properties:
8495 key:
8496 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8497 type: string
8498 name:
8499 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8500 type: string
8501 serviceConsumerDomain:
8502 type: string
8503 azureDNS:
8504 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
8505 type: object
8506 required:
8507 - resourceGroupName
8508 - subscriptionID
8509 properties:
8510 clientID:
8511 description: if both this and ClientSecret are left unset MSI will be used
8512 type: string
8513 clientSecretSecretRef:
8514 description: if both this and ClientID are left unset MSI will be used
8515 type: object
8516 required:
8517 - name
8518 properties:
8519 key:
8520 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8521 type: string
8522 name:
8523 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8524 type: string
8525 environment:
8526 type: string
8527 enum:
8528 - AzurePublicCloud
8529 - AzureChinaCloud
8530 - AzureGermanCloud
8531 - AzureUSGovernmentCloud
8532 hostedZoneName:
8533 type: string
8534 resourceGroupName:
8535 type: string
8536 subscriptionID:
8537 type: string
8538 tenantID:
8539 description: when specifying ClientID and ClientSecret then this field is also needed
8540 type: string
8541 cloudDNS:
8542 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
8543 type: object
8544 required:
8545 - project
8546 properties:
8547 hostedZoneName:
8548 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
8549 type: string
8550 project:
8551 type: string
8552 serviceAccountSecretRef:
8553 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
8554 type: object
8555 required:
8556 - name
8557 properties:
8558 key:
8559 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8560 type: string
8561 name:
8562 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8563 type: string
8564 cloudflare:
8565 description: Use the Cloudflare API to manage DNS01 challenge records.
8566 type: object
8567 properties:
8568 apiKeySecretRef:
8569 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
8570 type: object
8571 required:
8572 - name
8573 properties:
8574 key:
8575 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8576 type: string
8577 name:
8578 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8579 type: string
8580 apiTokenSecretRef:
8581 description: API token used to authenticate with Cloudflare.
8582 type: object
8583 required:
8584 - name
8585 properties:
8586 key:
8587 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8588 type: string
8589 name:
8590 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8591 type: string
8592 email:
8593 description: Email of the account, only required when using API key based authentication.
8594 type: string
8595 cnameStrategy:
8596 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
8597 type: string
8598 enum:
8599 - None
8600 - Follow
8601 digitalocean:
8602 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
8603 type: object
8604 required:
8605 - tokenSecretRef
8606 properties:
8607 tokenSecretRef:
8608 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
8609 type: object
8610 required:
8611 - name
8612 properties:
8613 key:
8614 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8615 type: string
8616 name:
8617 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8618 type: string
8619 rfc2136:
8620 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
8621 type: object
8622 required:
8623 - nameserver
8624 properties:
8625 nameserver:
8626 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
8627 type: string
8628 tsigAlgorithm:
8629 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
8630 type: string
8631 tsigKeyName:
8632 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
8633 type: string
8634 tsigSecretSecretRef:
8635 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
8636 type: object
8637 required:
8638 - name
8639 properties:
8640 key:
8641 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8642 type: string
8643 name:
8644 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8645 type: string
8646 route53:
8647 description: Use the AWS Route53 API to manage DNS01 challenge records.
8648 type: object
8649 required:
8650 - region
8651 properties:
8652 accessKeyID:
8653 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
8654 type: string
8655 hostedZoneID:
8656 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
8657 type: string
8658 region:
8659 description: Always set the region when using AccessKeyID and SecretAccessKey
8660 type: string
8661 role:
8662 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
8663 type: string
8664 secretAccessKeySecretRef:
8665 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
8666 type: object
8667 required:
8668 - name
8669 properties:
8670 key:
8671 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8672 type: string
8673 name:
8674 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8675 type: string
8676 webhook:
8677 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
8678 type: object
8679 required:
8680 - groupName
8681 - solverName
8682 properties:
8683 config:
8684 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
8685 x-kubernetes-preserve-unknown-fields: true
8686 groupName:
8687 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
8688 type: string
8689 solverName:
8690 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
8691 type: string
8692 http01:
8693 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
8694 type: object
8695 properties:
8696 gatewayHTTPRoute:
8697 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
8698 type: object
8699 properties:
8700 labels:
8701 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
8702 type: object
8703 additionalProperties:
8704 type: string
8705 serviceType:
8706 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
8707 type: string
8708 ingress:
8709 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
8710 type: object
8711 properties:
8712 class:
8713 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
8714 type: string
8715 ingressTemplate:
8716 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
8717 type: object
8718 properties:
8719 metadata:
8720 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
8721 type: object
8722 properties:
8723 annotations:
8724 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
8725 type: object
8726 additionalProperties:
8727 type: string
8728 labels:
8729 description: Labels that should be added to the created ACME HTTP01 solver ingress.
8730 type: object
8731 additionalProperties:
8732 type: string
8733 name:
8734 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
8735 type: string
8736 podTemplate:
8737 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges
8738 type: object
8739 properties:
8740 metadata:
8741 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
8742 type: object
8743 properties:
8744 annotations:
8745 description: Annotations that should be added to the create ACME HTTP01 solver pods.
8746 type: object
8747 additionalProperties:
8748 type: string
8749 labels:
8750 description: Labels that should be added to the created ACME HTTP01 solver pods.
8751 type: object
8752 additionalProperties:
8753 type: string
8754 spec:
8755 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
8756 type: object
8757 properties:
8758 affinity:
8759 description: If specified, the pod's scheduling constraints
8760 type: object
8761 properties:
8762 nodeAffinity:
8763 description: Describes node affinity scheduling rules for the pod.
8764 type: object
8765 properties:
8766 preferredDuringSchedulingIgnoredDuringExecution:
8767 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
8768 type: array
8769 items:
8770 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
8771 type: object
8772 required:
8773 - preference
8774 - weight
8775 properties:
8776 preference:
8777 description: A node selector term, associated with the corresponding weight.
8778 type: object
8779 properties:
8780 matchExpressions:
8781 description: A list of node selector requirements by node's labels.
8782 type: array
8783 items:
8784 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
8785 type: object
8786 required:
8787 - key
8788 - operator
8789 properties:
8790 key:
8791 description: The label key that the selector applies to.
8792 type: string
8793 operator:
8794 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
8795 type: string
8796 values:
8797 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
8798 type: array
8799 items:
8800 type: string
8801 matchFields:
8802 description: A list of node selector requirements by node's fields.
8803 type: array
8804 items:
8805 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
8806 type: object
8807 required:
8808 - key
8809 - operator
8810 properties:
8811 key:
8812 description: The label key that the selector applies to.
8813 type: string
8814 operator:
8815 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
8816 type: string
8817 values:
8818 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
8819 type: array
8820 items:
8821 type: string
8822 weight:
8823 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
8824 type: integer
8825 format: int32
8826 requiredDuringSchedulingIgnoredDuringExecution:
8827 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
8828 type: object
8829 required:
8830 - nodeSelectorTerms
8831 properties:
8832 nodeSelectorTerms:
8833 description: Required. A list of node selector terms. The terms are ORed.
8834 type: array
8835 items:
8836 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
8837 type: object
8838 properties:
8839 matchExpressions:
8840 description: A list of node selector requirements by node's labels.
8841 type: array
8842 items:
8843 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
8844 type: object
8845 required:
8846 - key
8847 - operator
8848 properties:
8849 key:
8850 description: The label key that the selector applies to.
8851 type: string
8852 operator:
8853 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
8854 type: string
8855 values:
8856 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
8857 type: array
8858 items:
8859 type: string
8860 matchFields:
8861 description: A list of node selector requirements by node's fields.
8862 type: array
8863 items:
8864 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
8865 type: object
8866 required:
8867 - key
8868 - operator
8869 properties:
8870 key:
8871 description: The label key that the selector applies to.
8872 type: string
8873 operator:
8874 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
8875 type: string
8876 values:
8877 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
8878 type: array
8879 items:
8880 type: string
8881 podAffinity:
8882 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
8883 type: object
8884 properties:
8885 preferredDuringSchedulingIgnoredDuringExecution:
8886 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
8887 type: array
8888 items:
8889 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
8890 type: object
8891 required:
8892 - podAffinityTerm
8893 - weight
8894 properties:
8895 podAffinityTerm:
8896 description: Required. A pod affinity term, associated with the corresponding weight.
8897 type: object
8898 required:
8899 - topologyKey
8900 properties:
8901 labelSelector:
8902 description: A label query over a set of resources, in this case pods.
8903 type: object
8904 properties:
8905 matchExpressions:
8906 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
8907 type: array
8908 items:
8909 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
8910 type: object
8911 required:
8912 - key
8913 - operator
8914 properties:
8915 key:
8916 description: key is the label key that the selector applies to.
8917 type: string
8918 operator:
8919 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
8920 type: string
8921 values:
8922 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
8923 type: array
8924 items:
8925 type: string
8926 matchLabels:
8927 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
8928 type: object
8929 additionalProperties:
8930 type: string
8931 namespaceSelector:
8932 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
8933 type: object
8934 properties:
8935 matchExpressions:
8936 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
8937 type: array
8938 items:
8939 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
8940 type: object
8941 required:
8942 - key
8943 - operator
8944 properties:
8945 key:
8946 description: key is the label key that the selector applies to.
8947 type: string
8948 operator:
8949 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
8950 type: string
8951 values:
8952 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
8953 type: array
8954 items:
8955 type: string
8956 matchLabels:
8957 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
8958 type: object
8959 additionalProperties:
8960 type: string
8961 namespaces:
8962 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
8963 type: array
8964 items:
8965 type: string
8966 topologyKey:
8967 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
8968 type: string
8969 weight:
8970 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
8971 type: integer
8972 format: int32
8973 requiredDuringSchedulingIgnoredDuringExecution:
8974 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
8975 type: array
8976 items:
8977 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
8978 type: object
8979 required:
8980 - topologyKey
8981 properties:
8982 labelSelector:
8983 description: A label query over a set of resources, in this case pods.
8984 type: object
8985 properties:
8986 matchExpressions:
8987 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
8988 type: array
8989 items:
8990 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
8991 type: object
8992 required:
8993 - key
8994 - operator
8995 properties:
8996 key:
8997 description: key is the label key that the selector applies to.
8998 type: string
8999 operator:
9000 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
9001 type: string
9002 values:
9003 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
9004 type: array
9005 items:
9006 type: string
9007 matchLabels:
9008 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
9009 type: object
9010 additionalProperties:
9011 type: string
9012 namespaceSelector:
9013 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
9014 type: object
9015 properties:
9016 matchExpressions:
9017 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
9018 type: array
9019 items:
9020 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
9021 type: object
9022 required:
9023 - key
9024 - operator
9025 properties:
9026 key:
9027 description: key is the label key that the selector applies to.
9028 type: string
9029 operator:
9030 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
9031 type: string
9032 values:
9033 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
9034 type: array
9035 items:
9036 type: string
9037 matchLabels:
9038 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
9039 type: object
9040 additionalProperties:
9041 type: string
9042 namespaces:
9043 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
9044 type: array
9045 items:
9046 type: string
9047 topologyKey:
9048 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
9049 type: string
9050 podAntiAffinity:
9051 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
9052 type: object
9053 properties:
9054 preferredDuringSchedulingIgnoredDuringExecution:
9055 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
9056 type: array
9057 items:
9058 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
9059 type: object
9060 required:
9061 - podAffinityTerm
9062 - weight
9063 properties:
9064 podAffinityTerm:
9065 description: Required. A pod affinity term, associated with the corresponding weight.
9066 type: object
9067 required:
9068 - topologyKey
9069 properties:
9070 labelSelector:
9071 description: A label query over a set of resources, in this case pods.
9072 type: object
9073 properties:
9074 matchExpressions:
9075 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
9076 type: array
9077 items:
9078 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
9079 type: object
9080 required:
9081 - key
9082 - operator
9083 properties:
9084 key:
9085 description: key is the label key that the selector applies to.
9086 type: string
9087 operator:
9088 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
9089 type: string
9090 values:
9091 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
9092 type: array
9093 items:
9094 type: string
9095 matchLabels:
9096 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
9097 type: object
9098 additionalProperties:
9099 type: string
9100 namespaceSelector:
9101 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
9102 type: object
9103 properties:
9104 matchExpressions:
9105 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
9106 type: array
9107 items:
9108 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
9109 type: object
9110 required:
9111 - key
9112 - operator
9113 properties:
9114 key:
9115 description: key is the label key that the selector applies to.
9116 type: string
9117 operator:
9118 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
9119 type: string
9120 values:
9121 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
9122 type: array
9123 items:
9124 type: string
9125 matchLabels:
9126 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
9127 type: object
9128 additionalProperties:
9129 type: string
9130 namespaces:
9131 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
9132 type: array
9133 items:
9134 type: string
9135 topologyKey:
9136 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
9137 type: string
9138 weight:
9139 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
9140 type: integer
9141 format: int32
9142 requiredDuringSchedulingIgnoredDuringExecution:
9143 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
9144 type: array
9145 items:
9146 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
9147 type: object
9148 required:
9149 - topologyKey
9150 properties:
9151 labelSelector:
9152 description: A label query over a set of resources, in this case pods.
9153 type: object
9154 properties:
9155 matchExpressions:
9156 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
9157 type: array
9158 items:
9159 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
9160 type: object
9161 required:
9162 - key
9163 - operator
9164 properties:
9165 key:
9166 description: key is the label key that the selector applies to.
9167 type: string
9168 operator:
9169 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
9170 type: string
9171 values:
9172 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
9173 type: array
9174 items:
9175 type: string
9176 matchLabels:
9177 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
9178 type: object
9179 additionalProperties:
9180 type: string
9181 namespaceSelector:
9182 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
9183 type: object
9184 properties:
9185 matchExpressions:
9186 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
9187 type: array
9188 items:
9189 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
9190 type: object
9191 required:
9192 - key
9193 - operator
9194 properties:
9195 key:
9196 description: key is the label key that the selector applies to.
9197 type: string
9198 operator:
9199 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
9200 type: string
9201 values:
9202 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
9203 type: array
9204 items:
9205 type: string
9206 matchLabels:
9207 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
9208 type: object
9209 additionalProperties:
9210 type: string
9211 namespaces:
9212 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
9213 type: array
9214 items:
9215 type: string
9216 topologyKey:
9217 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
9218 type: string
9219 nodeSelector:
9220 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
9221 type: object
9222 additionalProperties:
9223 type: string
9224 priorityClassName:
9225 description: If specified, the pod's priorityClassName.
9226 type: string
9227 serviceAccountName:
9228 description: If specified, the pod's service account
9229 type: string
9230 tolerations:
9231 description: If specified, the pod's tolerations.
9232 type: array
9233 items:
9234 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
9235 type: object
9236 properties:
9237 effect:
9238 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
9239 type: string
9240 key:
9241 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
9242 type: string
9243 operator:
9244 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
9245 type: string
9246 tolerationSeconds:
9247 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
9248 type: integer
9249 format: int64
9250 value:
9251 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
9252 type: string
9253 serviceType:
9254 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
9255 type: string
9256 selector:
9257 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
9258 type: object
9259 properties:
9260 dnsNames:
9261 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
9262 type: array
9263 items:
9264 type: string
9265 dnsZones:
9266 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
9267 type: array
9268 items:
9269 type: string
9270 matchLabels:
9271 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
9272 type: object
9273 additionalProperties:
9274 type: string
9275 ca:
9276 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
9277 type: object
9278 required:
9279 - secretName
9280 properties:
9281 crlDistributionPoints:
9282 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
9283 type: array
9284 items:
9285 type: string
9286 ocspServers:
9287 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
9288 type: array
9289 items:
9290 type: string
9291 secretName:
9292 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
9293 type: string
9294 selfSigned:
9295 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
9296 type: object
9297 properties:
9298 crlDistributionPoints:
9299 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
9300 type: array
9301 items:
9302 type: string
9303 vault:
9304 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
9305 type: object
9306 required:
9307 - auth
9308 - path
9309 - server
9310 properties:
9311 auth:
9312 description: Auth configures how cert-manager authenticates with the Vault server.
9313 type: object
9314 properties:
9315 appRole:
9316 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
9317 type: object
9318 required:
9319 - path
9320 - roleId
9321 - secretRef
9322 properties:
9323 path:
9324 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
9325 type: string
9326 roleId:
9327 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
9328 type: string
9329 secretRef:
9330 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
9331 type: object
9332 required:
9333 - name
9334 properties:
9335 key:
9336 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9337 type: string
9338 name:
9339 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9340 type: string
9341 kubernetes:
9342 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
9343 type: object
9344 required:
9345 - role
9346 - secretRef
9347 properties:
9348 mountPath:
9349 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
9350 type: string
9351 role:
9352 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
9353 type: string
9354 secretRef:
9355 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
9356 type: object
9357 required:
9358 - name
9359 properties:
9360 key:
9361 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9362 type: string
9363 name:
9364 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9365 type: string
9366 tokenSecretRef:
9367 description: TokenSecretRef authenticates with Vault by presenting a token.
9368 type: object
9369 required:
9370 - name
9371 properties:
9372 key:
9373 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9374 type: string
9375 name:
9376 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9377 type: string
9378 caBundle:
9379 description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
9380 type: string
9381 format: byte
9382 namespace:
9383 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
9384 type: string
9385 path:
9386 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
9387 type: string
9388 server:
9389 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
9390 type: string
9391 venafi:
9392 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
9393 type: object
9394 required:
9395 - zone
9396 properties:
9397 cloud:
9398 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
9399 type: object
9400 required:
9401 - apiTokenSecretRef
9402 properties:
9403 apiTokenSecretRef:
9404 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
9405 type: object
9406 required:
9407 - name
9408 properties:
9409 key:
9410 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9411 type: string
9412 name:
9413 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9414 type: string
9415 url:
9416 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
9417 type: string
9418 tpp:
9419 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
9420 type: object
9421 required:
9422 - credentialsRef
9423 - url
9424 properties:
9425 caBundle:
9426 description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
9427 type: string
9428 format: byte
9429 credentialsRef:
9430 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
9431 type: object
9432 required:
9433 - name
9434 properties:
9435 name:
9436 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9437 type: string
9438 url:
9439 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
9440 type: string
9441 zone:
9442 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
9443 type: string
9444 status:
9445 description: Status of the ClusterIssuer. This is set and managed automatically.
9446 type: object
9447 properties:
9448 acme:
9449 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
9450 type: object
9451 properties:
9452 lastRegisteredEmail:
9453 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
9454 type: string
9455 uri:
9456 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
9457 type: string
9458 conditions:
9459 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
9460 type: array
9461 items:
9462 description: IssuerCondition contains condition information for an Issuer.
9463 type: object
9464 required:
9465 - status
9466 - type
9467 properties:
9468 lastTransitionTime:
9469 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
9470 type: string
9471 format: date-time
9472 message:
9473 description: Message is a human readable description of the details of the last transition, complementing reason.
9474 type: string
9475 observedGeneration:
9476 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
9477 type: integer
9478 format: int64
9479 reason:
9480 description: Reason is a brief machine readable explanation for the condition's last transition.
9481 type: string
9482 status:
9483 description: Status of the condition, one of (`True`, `False`, `Unknown`).
9484 type: string
9485 enum:
9486 - "True"
9487 - "False"
9488 - Unknown
9489 type:
9490 description: Type of the condition, known values are (`Ready`).
9491 type: string
9492 served: true
9493 storage: false
9494 - name: v1
9495 subresources:
9496 status: {}
9497 additionalPrinterColumns:
9498 - jsonPath: .status.conditions[?(@.type=="Ready")].status
9499 name: Ready
9500 type: string
9501 - jsonPath: .status.conditions[?(@.type=="Ready")].message
9502 name: Status
9503 priority: 1
9504 type: string
9505 - jsonPath: .metadata.creationTimestamp
9506 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
9507 name: Age
9508 type: date
9509 schema:
9510 openAPIV3Schema:
9511 description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent.
9512 type: object
9513 required:
9514 - spec
9515 properties:
9516 apiVersion:
9517 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
9518 type: string
9519 kind:
9520 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
9521 type: string
9522 metadata:
9523 type: object
9524 spec:
9525 description: Desired state of the ClusterIssuer resource.
9526 type: object
9527 properties:
9528 acme:
9529 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
9530 type: object
9531 required:
9532 - privateKeySecretRef
9533 - server
9534 properties:
9535 disableAccountKeyGeneration:
9536 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
9537 type: boolean
9538 email:
9539 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
9540 type: string
9541 enableDurationFeature:
9542 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
9543 type: boolean
9544 externalAccountBinding:
9545 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
9546 type: object
9547 required:
9548 - keyID
9549 - keySecretRef
9550 properties:
9551 keyAlgorithm:
9552 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
9553 type: string
9554 enum:
9555 - HS256
9556 - HS384
9557 - HS512
9558 keyID:
9559 description: keyID is the ID of the CA key that the External Account is bound to.
9560 type: string
9561 keySecretRef:
9562 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
9563 type: object
9564 required:
9565 - name
9566 properties:
9567 key:
9568 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9569 type: string
9570 name:
9571 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9572 type: string
9573 preferredChain:
9574 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
9575 type: string
9576 maxLength: 64
9577 privateKeySecretRef:
9578 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
9579 type: object
9580 required:
9581 - name
9582 properties:
9583 key:
9584 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9585 type: string
9586 name:
9587 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9588 type: string
9589 server:
9590 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
9591 type: string
9592 skipTLSVerify:
9593 description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
9594 type: boolean
9595 solvers:
9596 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
9597 type: array
9598 items:
9599 description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided.
9600 type: object
9601 properties:
9602 dns01:
9603 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
9604 type: object
9605 properties:
9606 acmeDNS:
9607 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
9608 type: object
9609 required:
9610 - accountSecretRef
9611 - host
9612 properties:
9613 accountSecretRef:
9614 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
9615 type: object
9616 required:
9617 - name
9618 properties:
9619 key:
9620 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9621 type: string
9622 name:
9623 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9624 type: string
9625 host:
9626 type: string
9627 akamai:
9628 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
9629 type: object
9630 required:
9631 - accessTokenSecretRef
9632 - clientSecretSecretRef
9633 - clientTokenSecretRef
9634 - serviceConsumerDomain
9635 properties:
9636 accessTokenSecretRef:
9637 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
9638 type: object
9639 required:
9640 - name
9641 properties:
9642 key:
9643 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9644 type: string
9645 name:
9646 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9647 type: string
9648 clientSecretSecretRef:
9649 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
9650 type: object
9651 required:
9652 - name
9653 properties:
9654 key:
9655 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9656 type: string
9657 name:
9658 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9659 type: string
9660 clientTokenSecretRef:
9661 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
9662 type: object
9663 required:
9664 - name
9665 properties:
9666 key:
9667 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9668 type: string
9669 name:
9670 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9671 type: string
9672 serviceConsumerDomain:
9673 type: string
9674 azureDNS:
9675 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
9676 type: object
9677 required:
9678 - resourceGroupName
9679 - subscriptionID
9680 properties:
9681 clientID:
9682 description: if both this and ClientSecret are left unset MSI will be used
9683 type: string
9684 clientSecretSecretRef:
9685 description: if both this and ClientID are left unset MSI will be used
9686 type: object
9687 required:
9688 - name
9689 properties:
9690 key:
9691 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9692 type: string
9693 name:
9694 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9695 type: string
9696 environment:
9697 type: string
9698 enum:
9699 - AzurePublicCloud
9700 - AzureChinaCloud
9701 - AzureGermanCloud
9702 - AzureUSGovernmentCloud
9703 hostedZoneName:
9704 type: string
9705 resourceGroupName:
9706 type: string
9707 subscriptionID:
9708 type: string
9709 tenantID:
9710 description: when specifying ClientID and ClientSecret then this field is also needed
9711 type: string
9712 cloudDNS:
9713 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
9714 type: object
9715 required:
9716 - project
9717 properties:
9718 hostedZoneName:
9719 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
9720 type: string
9721 project:
9722 type: string
9723 serviceAccountSecretRef:
9724 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
9725 type: object
9726 required:
9727 - name
9728 properties:
9729 key:
9730 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9731 type: string
9732 name:
9733 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9734 type: string
9735 cloudflare:
9736 description: Use the Cloudflare API to manage DNS01 challenge records.
9737 type: object
9738 properties:
9739 apiKeySecretRef:
9740 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
9741 type: object
9742 required:
9743 - name
9744 properties:
9745 key:
9746 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9747 type: string
9748 name:
9749 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9750 type: string
9751 apiTokenSecretRef:
9752 description: API token used to authenticate with Cloudflare.
9753 type: object
9754 required:
9755 - name
9756 properties:
9757 key:
9758 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9759 type: string
9760 name:
9761 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9762 type: string
9763 email:
9764 description: Email of the account, only required when using API key based authentication.
9765 type: string
9766 cnameStrategy:
9767 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
9768 type: string
9769 enum:
9770 - None
9771 - Follow
9772 digitalocean:
9773 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
9774 type: object
9775 required:
9776 - tokenSecretRef
9777 properties:
9778 tokenSecretRef:
9779 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
9780 type: object
9781 required:
9782 - name
9783 properties:
9784 key:
9785 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9786 type: string
9787 name:
9788 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9789 type: string
9790 rfc2136:
9791 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
9792 type: object
9793 required:
9794 - nameserver
9795 properties:
9796 nameserver:
9797 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
9798 type: string
9799 tsigAlgorithm:
9800 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
9801 type: string
9802 tsigKeyName:
9803 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
9804 type: string
9805 tsigSecretSecretRef:
9806 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
9807 type: object
9808 required:
9809 - name
9810 properties:
9811 key:
9812 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9813 type: string
9814 name:
9815 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9816 type: string
9817 route53:
9818 description: Use the AWS Route53 API to manage DNS01 challenge records.
9819 type: object
9820 required:
9821 - region
9822 properties:
9823 accessKeyID:
9824 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
9825 type: string
9826 hostedZoneID:
9827 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
9828 type: string
9829 region:
9830 description: Always set the region when using AccessKeyID and SecretAccessKey
9831 type: string
9832 role:
9833 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
9834 type: string
9835 secretAccessKeySecretRef:
9836 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
9837 type: object
9838 required:
9839 - name
9840 properties:
9841 key:
9842 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9843 type: string
9844 name:
9845 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9846 type: string
9847 webhook:
9848 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
9849 type: object
9850 required:
9851 - groupName
9852 - solverName
9853 properties:
9854 config:
9855 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
9856 x-kubernetes-preserve-unknown-fields: true
9857 groupName:
9858 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
9859 type: string
9860 solverName:
9861 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
9862 type: string
9863 http01:
9864 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
9865 type: object
9866 properties:
9867 gatewayHTTPRoute:
9868 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
9869 type: object
9870 properties:
9871 labels:
9872 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
9873 type: object
9874 additionalProperties:
9875 type: string
9876 serviceType:
9877 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
9878 type: string
9879 ingress:
9880 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
9881 type: object
9882 properties:
9883 class:
9884 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
9885 type: string
9886 ingressTemplate:
9887 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
9888 type: object
9889 properties:
9890 metadata:
9891 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
9892 type: object
9893 properties:
9894 annotations:
9895 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
9896 type: object
9897 additionalProperties:
9898 type: string
9899 labels:
9900 description: Labels that should be added to the created ACME HTTP01 solver ingress.
9901 type: object
9902 additionalProperties:
9903 type: string
9904 name:
9905 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
9906 type: string
9907 podTemplate:
9908 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
9909 type: object
9910 properties:
9911 metadata:
9912 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
9913 type: object
9914 properties:
9915 annotations:
9916 description: Annotations that should be added to the create ACME HTTP01 solver pods.
9917 type: object
9918 additionalProperties:
9919 type: string
9920 labels:
9921 description: Labels that should be added to the created ACME HTTP01 solver pods.
9922 type: object
9923 additionalProperties:
9924 type: string
9925 spec:
9926 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
9927 type: object
9928 properties:
9929 affinity:
9930 description: If specified, the pod's scheduling constraints
9931 type: object
9932 properties:
9933 nodeAffinity:
9934 description: Describes node affinity scheduling rules for the pod.
9935 type: object
9936 properties:
9937 preferredDuringSchedulingIgnoredDuringExecution:
9938 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
9939 type: array
9940 items:
9941 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
9942 type: object
9943 required:
9944 - preference
9945 - weight
9946 properties:
9947 preference:
9948 description: A node selector term, associated with the corresponding weight.
9949 type: object
9950 properties:
9951 matchExpressions:
9952 description: A list of node selector requirements by node's labels.
9953 type: array
9954 items:
9955 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
9956 type: object
9957 required:
9958 - key
9959 - operator
9960 properties:
9961 key:
9962 description: The label key that the selector applies to.
9963 type: string
9964 operator:
9965 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
9966 type: string
9967 values:
9968 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
9969 type: array
9970 items:
9971 type: string
9972 matchFields:
9973 description: A list of node selector requirements by node's fields.
9974 type: array
9975 items:
9976 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
9977 type: object
9978 required:
9979 - key
9980 - operator
9981 properties:
9982 key:
9983 description: The label key that the selector applies to.
9984 type: string
9985 operator:
9986 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
9987 type: string
9988 values:
9989 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
9990 type: array
9991 items:
9992 type: string
9993 weight:
9994 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
9995 type: integer
9996 format: int32
9997 requiredDuringSchedulingIgnoredDuringExecution:
9998 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
9999 type: object
10000 required:
10001 - nodeSelectorTerms
10002 properties:
10003 nodeSelectorTerms:
10004 description: Required. A list of node selector terms. The terms are ORed.
10005 type: array
10006 items:
10007 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
10008 type: object
10009 properties:
10010 matchExpressions:
10011 description: A list of node selector requirements by node's labels.
10012 type: array
10013 items:
10014 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10015 type: object
10016 required:
10017 - key
10018 - operator
10019 properties:
10020 key:
10021 description: The label key that the selector applies to.
10022 type: string
10023 operator:
10024 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
10025 type: string
10026 values:
10027 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
10028 type: array
10029 items:
10030 type: string
10031 matchFields:
10032 description: A list of node selector requirements by node's fields.
10033 type: array
10034 items:
10035 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10036 type: object
10037 required:
10038 - key
10039 - operator
10040 properties:
10041 key:
10042 description: The label key that the selector applies to.
10043 type: string
10044 operator:
10045 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
10046 type: string
10047 values:
10048 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
10049 type: array
10050 items:
10051 type: string
10052 podAffinity:
10053 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
10054 type: object
10055 properties:
10056 preferredDuringSchedulingIgnoredDuringExecution:
10057 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
10058 type: array
10059 items:
10060 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
10061 type: object
10062 required:
10063 - podAffinityTerm
10064 - weight
10065 properties:
10066 podAffinityTerm:
10067 description: Required. A pod affinity term, associated with the corresponding weight.
10068 type: object
10069 required:
10070 - topologyKey
10071 properties:
10072 labelSelector:
10073 description: A label query over a set of resources, in this case pods.
10074 type: object
10075 properties:
10076 matchExpressions:
10077 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10078 type: array
10079 items:
10080 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10081 type: object
10082 required:
10083 - key
10084 - operator
10085 properties:
10086 key:
10087 description: key is the label key that the selector applies to.
10088 type: string
10089 operator:
10090 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
10091 type: string
10092 values:
10093 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
10094 type: array
10095 items:
10096 type: string
10097 matchLabels:
10098 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
10099 type: object
10100 additionalProperties:
10101 type: string
10102 namespaceSelector:
10103 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
10104 type: object
10105 properties:
10106 matchExpressions:
10107 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10108 type: array
10109 items:
10110 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10111 type: object
10112 required:
10113 - key
10114 - operator
10115 properties:
10116 key:
10117 description: key is the label key that the selector applies to.
10118 type: string
10119 operator:
10120 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
10121 type: string
10122 values:
10123 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
10124 type: array
10125 items:
10126 type: string
10127 matchLabels:
10128 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
10129 type: object
10130 additionalProperties:
10131 type: string
10132 namespaces:
10133 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
10134 type: array
10135 items:
10136 type: string
10137 topologyKey:
10138 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
10139 type: string
10140 weight:
10141 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
10142 type: integer
10143 format: int32
10144 requiredDuringSchedulingIgnoredDuringExecution:
10145 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
10146 type: array
10147 items:
10148 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
10149 type: object
10150 required:
10151 - topologyKey
10152 properties:
10153 labelSelector:
10154 description: A label query over a set of resources, in this case pods.
10155 type: object
10156 properties:
10157 matchExpressions:
10158 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10159 type: array
10160 items:
10161 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10162 type: object
10163 required:
10164 - key
10165 - operator
10166 properties:
10167 key:
10168 description: key is the label key that the selector applies to.
10169 type: string
10170 operator:
10171 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
10172 type: string
10173 values:
10174 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
10175 type: array
10176 items:
10177 type: string
10178 matchLabels:
10179 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
10180 type: object
10181 additionalProperties:
10182 type: string
10183 namespaceSelector:
10184 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
10185 type: object
10186 properties:
10187 matchExpressions:
10188 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10189 type: array
10190 items:
10191 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10192 type: object
10193 required:
10194 - key
10195 - operator
10196 properties:
10197 key:
10198 description: key is the label key that the selector applies to.
10199 type: string
10200 operator:
10201 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
10202 type: string
10203 values:
10204 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
10205 type: array
10206 items:
10207 type: string
10208 matchLabels:
10209 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
10210 type: object
10211 additionalProperties:
10212 type: string
10213 namespaces:
10214 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
10215 type: array
10216 items:
10217 type: string
10218 topologyKey:
10219 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
10220 type: string
10221 podAntiAffinity:
10222 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
10223 type: object
10224 properties:
10225 preferredDuringSchedulingIgnoredDuringExecution:
10226 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
10227 type: array
10228 items:
10229 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
10230 type: object
10231 required:
10232 - podAffinityTerm
10233 - weight
10234 properties:
10235 podAffinityTerm:
10236 description: Required. A pod affinity term, associated with the corresponding weight.
10237 type: object
10238 required:
10239 - topologyKey
10240 properties:
10241 labelSelector:
10242 description: A label query over a set of resources, in this case pods.
10243 type: object
10244 properties:
10245 matchExpressions:
10246 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10247 type: array
10248 items:
10249 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10250 type: object
10251 required:
10252 - key
10253 - operator
10254 properties:
10255 key:
10256 description: key is the label key that the selector applies to.
10257 type: string
10258 operator:
10259 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
10260 type: string
10261 values:
10262 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
10263 type: array
10264 items:
10265 type: string
10266 matchLabels:
10267 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
10268 type: object
10269 additionalProperties:
10270 type: string
10271 namespaceSelector:
10272 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
10273 type: object
10274 properties:
10275 matchExpressions:
10276 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10277 type: array
10278 items:
10279 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10280 type: object
10281 required:
10282 - key
10283 - operator
10284 properties:
10285 key:
10286 description: key is the label key that the selector applies to.
10287 type: string
10288 operator:
10289 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
10290 type: string
10291 values:
10292 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
10293 type: array
10294 items:
10295 type: string
10296 matchLabels:
10297 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
10298 type: object
10299 additionalProperties:
10300 type: string
10301 namespaces:
10302 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
10303 type: array
10304 items:
10305 type: string
10306 topologyKey:
10307 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
10308 type: string
10309 weight:
10310 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
10311 type: integer
10312 format: int32
10313 requiredDuringSchedulingIgnoredDuringExecution:
10314 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
10315 type: array
10316 items:
10317 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
10318 type: object
10319 required:
10320 - topologyKey
10321 properties:
10322 labelSelector:
10323 description: A label query over a set of resources, in this case pods.
10324 type: object
10325 properties:
10326 matchExpressions:
10327 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10328 type: array
10329 items:
10330 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10331 type: object
10332 required:
10333 - key
10334 - operator
10335 properties:
10336 key:
10337 description: key is the label key that the selector applies to.
10338 type: string
10339 operator:
10340 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
10341 type: string
10342 values:
10343 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
10344 type: array
10345 items:
10346 type: string
10347 matchLabels:
10348 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
10349 type: object
10350 additionalProperties:
10351 type: string
10352 namespaceSelector:
10353 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
10354 type: object
10355 properties:
10356 matchExpressions:
10357 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10358 type: array
10359 items:
10360 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10361 type: object
10362 required:
10363 - key
10364 - operator
10365 properties:
10366 key:
10367 description: key is the label key that the selector applies to.
10368 type: string
10369 operator:
10370 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
10371 type: string
10372 values:
10373 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
10374 type: array
10375 items:
10376 type: string
10377 matchLabels:
10378 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
10379 type: object
10380 additionalProperties:
10381 type: string
10382 namespaces:
10383 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
10384 type: array
10385 items:
10386 type: string
10387 topologyKey:
10388 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
10389 type: string
10390 nodeSelector:
10391 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
10392 type: object
10393 additionalProperties:
10394 type: string
10395 priorityClassName:
10396 description: If specified, the pod's priorityClassName.
10397 type: string
10398 serviceAccountName:
10399 description: If specified, the pod's service account
10400 type: string
10401 tolerations:
10402 description: If specified, the pod's tolerations.
10403 type: array
10404 items:
10405 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
10406 type: object
10407 properties:
10408 effect:
10409 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
10410 type: string
10411 key:
10412 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
10413 type: string
10414 operator:
10415 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
10416 type: string
10417 tolerationSeconds:
10418 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
10419 type: integer
10420 format: int64
10421 value:
10422 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
10423 type: string
10424 serviceType:
10425 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
10426 type: string
10427 selector:
10428 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
10429 type: object
10430 properties:
10431 dnsNames:
10432 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
10433 type: array
10434 items:
10435 type: string
10436 dnsZones:
10437 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
10438 type: array
10439 items:
10440 type: string
10441 matchLabels:
10442 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
10443 type: object
10444 additionalProperties:
10445 type: string
10446 ca:
10447 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
10448 type: object
10449 required:
10450 - secretName
10451 properties:
10452 crlDistributionPoints:
10453 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
10454 type: array
10455 items:
10456 type: string
10457 ocspServers:
10458 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
10459 type: array
10460 items:
10461 type: string
10462 secretName:
10463 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
10464 type: string
10465 selfSigned:
10466 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
10467 type: object
10468 properties:
10469 crlDistributionPoints:
10470 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
10471 type: array
10472 items:
10473 type: string
10474 vault:
10475 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
10476 type: object
10477 required:
10478 - auth
10479 - path
10480 - server
10481 properties:
10482 auth:
10483 description: Auth configures how cert-manager authenticates with the Vault server.
10484 type: object
10485 properties:
10486 appRole:
10487 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
10488 type: object
10489 required:
10490 - path
10491 - roleId
10492 - secretRef
10493 properties:
10494 path:
10495 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
10496 type: string
10497 roleId:
10498 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
10499 type: string
10500 secretRef:
10501 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
10502 type: object
10503 required:
10504 - name
10505 properties:
10506 key:
10507 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10508 type: string
10509 name:
10510 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10511 type: string
10512 kubernetes:
10513 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
10514 type: object
10515 required:
10516 - role
10517 - secretRef
10518 properties:
10519 mountPath:
10520 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
10521 type: string
10522 role:
10523 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
10524 type: string
10525 secretRef:
10526 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
10527 type: object
10528 required:
10529 - name
10530 properties:
10531 key:
10532 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10533 type: string
10534 name:
10535 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10536 type: string
10537 tokenSecretRef:
10538 description: TokenSecretRef authenticates with Vault by presenting a token.
10539 type: object
10540 required:
10541 - name
10542 properties:
10543 key:
10544 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10545 type: string
10546 name:
10547 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10548 type: string
10549 caBundle:
10550 description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
10551 type: string
10552 format: byte
10553 namespace:
10554 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
10555 type: string
10556 path:
10557 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
10558 type: string
10559 server:
10560 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
10561 type: string
10562 venafi:
10563 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
10564 type: object
10565 required:
10566 - zone
10567 properties:
10568 cloud:
10569 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
10570 type: object
10571 required:
10572 - apiTokenSecretRef
10573 properties:
10574 apiTokenSecretRef:
10575 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
10576 type: object
10577 required:
10578 - name
10579 properties:
10580 key:
10581 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10582 type: string
10583 name:
10584 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10585 type: string
10586 url:
10587 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
10588 type: string
10589 tpp:
10590 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
10591 type: object
10592 required:
10593 - credentialsRef
10594 - url
10595 properties:
10596 caBundle:
10597 description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
10598 type: string
10599 format: byte
10600 credentialsRef:
10601 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
10602 type: object
10603 required:
10604 - name
10605 properties:
10606 name:
10607 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10608 type: string
10609 url:
10610 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
10611 type: string
10612 zone:
10613 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
10614 type: string
10615 status:
10616 description: Status of the ClusterIssuer. This is set and managed automatically.
10617 type: object
10618 properties:
10619 acme:
10620 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
10621 type: object
10622 properties:
10623 lastRegisteredEmail:
10624 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
10625 type: string
10626 uri:
10627 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
10628 type: string
10629 conditions:
10630 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
10631 type: array
10632 items:
10633 description: IssuerCondition contains condition information for an Issuer.
10634 type: object
10635 required:
10636 - status
10637 - type
10638 properties:
10639 lastTransitionTime:
10640 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
10641 type: string
10642 format: date-time
10643 message:
10644 description: Message is a human readable description of the details of the last transition, complementing reason.
10645 type: string
10646 observedGeneration:
10647 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
10648 type: integer
10649 format: int64
10650 reason:
10651 description: Reason is a brief machine readable explanation for the condition's last transition.
10652 type: string
10653 status:
10654 description: Status of the condition, one of (`True`, `False`, `Unknown`).
10655 type: string
10656 enum:
10657 - "True"
10658 - "False"
10659 - Unknown
10660 type:
10661 description: Type of the condition, known values are (`Ready`).
10662 type: string
10663 served: true
10664 storage: true
10665---
10666# Source: cert-manager/templates/templates.out
10667apiVersion: apiextensions.k8s.io/v1
10668kind: CustomResourceDefinition
10669metadata:
10670 name: issuers.cert-manager.io
10671 annotations:
10672 cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
10673 labels:
10674 app: 'cert-manager'
10675 app.kubernetes.io/name: 'cert-manager'
10676 app.kubernetes.io/instance: 'cert-manager'
10677 # Generated labels
10678 app.kubernetes.io/version: "v1.5.4"
10679spec:
10680 group: cert-manager.io
10681 names:
10682 kind: Issuer
10683 listKind: IssuerList
10684 plural: issuers
10685 singular: issuer
10686 categories:
10687 - cert-manager
10688 scope: Namespaced
10689 conversion:
10690 # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
10691 strategy: Webhook
10692 # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
10693 webhook:
10694 # We don't actually support `v1beta1` but is listed here as it is a
10695 # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The
10696 # API server reads the supported versions in order, so _should always_
10697 # attempt a `v1` request which is understood by the cert-manager webhook.
10698 # Any `v1beta1` request will return an error and fail closed for that
10699 # resource (the whole object request is rejected).
10700 # When we no longer support v1.16 we can remove `v1beta1` from this list.
10701 conversionReviewVersions: ["v1", "v1beta1"]
10702 clientConfig:
10703 #
10704 service:
10705 name: 'cert-manager-webhook'
10706 namespace: "cert-manager"
10707 path: /convert
10708 #
10709 versions:
10710 - name: v1alpha2
10711 subresources:
10712 status: {}
10713 additionalPrinterColumns:
10714 - jsonPath: .status.conditions[?(@.type=="Ready")].status
10715 name: Ready
10716 type: string
10717 - jsonPath: .status.conditions[?(@.type=="Ready")].message
10718 name: Status
10719 priority: 1
10720 type: string
10721 - jsonPath: .metadata.creationTimestamp
10722 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
10723 name: Age
10724 type: date
10725 schema:
10726 openAPIV3Schema:
10727 description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace.
10728 type: object
10729 properties:
10730 apiVersion:
10731 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
10732 type: string
10733 kind:
10734 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
10735 type: string
10736 metadata:
10737 type: object
10738 spec:
10739 description: Desired state of the Issuer resource.
10740 type: object
10741 properties:
10742 acme:
10743 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
10744 type: object
10745 required:
10746 - privateKeySecretRef
10747 - server
10748 properties:
10749 disableAccountKeyGeneration:
10750 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
10751 type: boolean
10752 email:
10753 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
10754 type: string
10755 enableDurationFeature:
10756 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
10757 type: boolean
10758 externalAccountBinding:
10759 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
10760 type: object
10761 required:
10762 - keyID
10763 - keySecretRef
10764 properties:
10765 keyAlgorithm:
10766 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
10767 type: string
10768 enum:
10769 - HS256
10770 - HS384
10771 - HS512
10772 keyID:
10773 description: keyID is the ID of the CA key that the External Account is bound to.
10774 type: string
10775 keySecretRef:
10776 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
10777 type: object
10778 required:
10779 - name
10780 properties:
10781 key:
10782 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10783 type: string
10784 name:
10785 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10786 type: string
10787 preferredChain:
10788 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
10789 type: string
10790 maxLength: 64
10791 privateKeySecretRef:
10792 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
10793 type: object
10794 required:
10795 - name
10796 properties:
10797 key:
10798 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10799 type: string
10800 name:
10801 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10802 type: string
10803 server:
10804 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
10805 type: string
10806 skipTLSVerify:
10807 description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
10808 type: boolean
10809 solvers:
10810 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
10811 type: array
10812 items:
10813 description: Configures an issuer to solve challenges using the specified options. Only one of HTTP01 or DNS01 may be provided.
10814 type: object
10815 properties:
10816 dns01:
10817 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
10818 type: object
10819 properties:
10820 acmedns:
10821 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
10822 type: object
10823 required:
10824 - accountSecretRef
10825 - host
10826 properties:
10827 accountSecretRef:
10828 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
10829 type: object
10830 required:
10831 - name
10832 properties:
10833 key:
10834 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10835 type: string
10836 name:
10837 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10838 type: string
10839 host:
10840 type: string
10841 akamai:
10842 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
10843 type: object
10844 required:
10845 - accessTokenSecretRef
10846 - clientSecretSecretRef
10847 - clientTokenSecretRef
10848 - serviceConsumerDomain
10849 properties:
10850 accessTokenSecretRef:
10851 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
10852 type: object
10853 required:
10854 - name
10855 properties:
10856 key:
10857 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10858 type: string
10859 name:
10860 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10861 type: string
10862 clientSecretSecretRef:
10863 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
10864 type: object
10865 required:
10866 - name
10867 properties:
10868 key:
10869 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10870 type: string
10871 name:
10872 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10873 type: string
10874 clientTokenSecretRef:
10875 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
10876 type: object
10877 required:
10878 - name
10879 properties:
10880 key:
10881 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10882 type: string
10883 name:
10884 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10885 type: string
10886 serviceConsumerDomain:
10887 type: string
10888 azuredns:
10889 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
10890 type: object
10891 required:
10892 - resourceGroupName
10893 - subscriptionID
10894 properties:
10895 clientID:
10896 description: if both this and ClientSecret are left unset MSI will be used
10897 type: string
10898 clientSecretSecretRef:
10899 description: if both this and ClientID are left unset MSI will be used
10900 type: object
10901 required:
10902 - name
10903 properties:
10904 key:
10905 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10906 type: string
10907 name:
10908 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10909 type: string
10910 environment:
10911 type: string
10912 enum:
10913 - AzurePublicCloud
10914 - AzureChinaCloud
10915 - AzureGermanCloud
10916 - AzureUSGovernmentCloud
10917 hostedZoneName:
10918 type: string
10919 resourceGroupName:
10920 type: string
10921 subscriptionID:
10922 type: string
10923 tenantID:
10924 description: when specifying ClientID and ClientSecret then this field is also needed
10925 type: string
10926 clouddns:
10927 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
10928 type: object
10929 required:
10930 - project
10931 properties:
10932 hostedZoneName:
10933 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
10934 type: string
10935 project:
10936 type: string
10937 serviceAccountSecretRef:
10938 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
10939 type: object
10940 required:
10941 - name
10942 properties:
10943 key:
10944 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10945 type: string
10946 name:
10947 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10948 type: string
10949 cloudflare:
10950 description: Use the Cloudflare API to manage DNS01 challenge records.
10951 type: object
10952 properties:
10953 apiKeySecretRef:
10954 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
10955 type: object
10956 required:
10957 - name
10958 properties:
10959 key:
10960 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10961 type: string
10962 name:
10963 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10964 type: string
10965 apiTokenSecretRef:
10966 description: API token used to authenticate with Cloudflare.
10967 type: object
10968 required:
10969 - name
10970 properties:
10971 key:
10972 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10973 type: string
10974 name:
10975 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10976 type: string
10977 email:
10978 description: Email of the account, only required when using API key based authentication.
10979 type: string
10980 cnameStrategy:
10981 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
10982 type: string
10983 enum:
10984 - None
10985 - Follow
10986 digitalocean:
10987 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
10988 type: object
10989 required:
10990 - tokenSecretRef
10991 properties:
10992 tokenSecretRef:
10993 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
10994 type: object
10995 required:
10996 - name
10997 properties:
10998 key:
10999 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11000 type: string
11001 name:
11002 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11003 type: string
11004 rfc2136:
11005 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
11006 type: object
11007 required:
11008 - nameserver
11009 properties:
11010 nameserver:
11011 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
11012 type: string
11013 tsigAlgorithm:
11014 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
11015 type: string
11016 tsigKeyName:
11017 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
11018 type: string
11019 tsigSecretSecretRef:
11020 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
11021 type: object
11022 required:
11023 - name
11024 properties:
11025 key:
11026 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11027 type: string
11028 name:
11029 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11030 type: string
11031 route53:
11032 description: Use the AWS Route53 API to manage DNS01 challenge records.
11033 type: object
11034 required:
11035 - region
11036 properties:
11037 accessKeyID:
11038 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
11039 type: string
11040 hostedZoneID:
11041 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
11042 type: string
11043 region:
11044 description: Always set the region when using AccessKeyID and SecretAccessKey
11045 type: string
11046 role:
11047 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
11048 type: string
11049 secretAccessKeySecretRef:
11050 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
11051 type: object
11052 required:
11053 - name
11054 properties:
11055 key:
11056 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11057 type: string
11058 name:
11059 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11060 type: string
11061 webhook:
11062 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
11063 type: object
11064 required:
11065 - groupName
11066 - solverName
11067 properties:
11068 config:
11069 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
11070 x-kubernetes-preserve-unknown-fields: true
11071 groupName:
11072 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
11073 type: string
11074 solverName:
11075 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
11076 type: string
11077 http01:
11078 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
11079 type: object
11080 properties:
11081 gatewayHTTPRoute:
11082 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
11083 type: object
11084 properties:
11085 labels:
11086 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
11087 type: object
11088 additionalProperties:
11089 type: string
11090 serviceType:
11091 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
11092 type: string
11093 ingress:
11094 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
11095 type: object
11096 properties:
11097 class:
11098 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
11099 type: string
11100 ingressTemplate:
11101 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges
11102 type: object
11103 properties:
11104 metadata:
11105 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
11106 type: object
11107 properties:
11108 annotations:
11109 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
11110 type: object
11111 additionalProperties:
11112 type: string
11113 labels:
11114 description: Labels that should be added to the created ACME HTTP01 solver ingress.
11115 type: object
11116 additionalProperties:
11117 type: string
11118 name:
11119 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
11120 type: string
11121 podTemplate:
11122 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
11123 type: object
11124 properties:
11125 metadata:
11126 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
11127 type: object
11128 properties:
11129 annotations:
11130 description: Annotations that should be added to the create ACME HTTP01 solver pods.
11131 type: object
11132 additionalProperties:
11133 type: string
11134 labels:
11135 description: Labels that should be added to the created ACME HTTP01 solver pods.
11136 type: object
11137 additionalProperties:
11138 type: string
11139 spec:
11140 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
11141 type: object
11142 properties:
11143 affinity:
11144 description: If specified, the pod's scheduling constraints
11145 type: object
11146 properties:
11147 nodeAffinity:
11148 description: Describes node affinity scheduling rules for the pod.
11149 type: object
11150 properties:
11151 preferredDuringSchedulingIgnoredDuringExecution:
11152 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
11153 type: array
11154 items:
11155 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
11156 type: object
11157 required:
11158 - preference
11159 - weight
11160 properties:
11161 preference:
11162 description: A node selector term, associated with the corresponding weight.
11163 type: object
11164 properties:
11165 matchExpressions:
11166 description: A list of node selector requirements by node's labels.
11167 type: array
11168 items:
11169 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11170 type: object
11171 required:
11172 - key
11173 - operator
11174 properties:
11175 key:
11176 description: The label key that the selector applies to.
11177 type: string
11178 operator:
11179 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
11180 type: string
11181 values:
11182 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
11183 type: array
11184 items:
11185 type: string
11186 matchFields:
11187 description: A list of node selector requirements by node's fields.
11188 type: array
11189 items:
11190 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11191 type: object
11192 required:
11193 - key
11194 - operator
11195 properties:
11196 key:
11197 description: The label key that the selector applies to.
11198 type: string
11199 operator:
11200 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
11201 type: string
11202 values:
11203 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
11204 type: array
11205 items:
11206 type: string
11207 weight:
11208 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
11209 type: integer
11210 format: int32
11211 requiredDuringSchedulingIgnoredDuringExecution:
11212 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
11213 type: object
11214 required:
11215 - nodeSelectorTerms
11216 properties:
11217 nodeSelectorTerms:
11218 description: Required. A list of node selector terms. The terms are ORed.
11219 type: array
11220 items:
11221 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
11222 type: object
11223 properties:
11224 matchExpressions:
11225 description: A list of node selector requirements by node's labels.
11226 type: array
11227 items:
11228 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11229 type: object
11230 required:
11231 - key
11232 - operator
11233 properties:
11234 key:
11235 description: The label key that the selector applies to.
11236 type: string
11237 operator:
11238 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
11239 type: string
11240 values:
11241 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
11242 type: array
11243 items:
11244 type: string
11245 matchFields:
11246 description: A list of node selector requirements by node's fields.
11247 type: array
11248 items:
11249 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11250 type: object
11251 required:
11252 - key
11253 - operator
11254 properties:
11255 key:
11256 description: The label key that the selector applies to.
11257 type: string
11258 operator:
11259 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
11260 type: string
11261 values:
11262 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
11263 type: array
11264 items:
11265 type: string
11266 podAffinity:
11267 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
11268 type: object
11269 properties:
11270 preferredDuringSchedulingIgnoredDuringExecution:
11271 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
11272 type: array
11273 items:
11274 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
11275 type: object
11276 required:
11277 - podAffinityTerm
11278 - weight
11279 properties:
11280 podAffinityTerm:
11281 description: Required. A pod affinity term, associated with the corresponding weight.
11282 type: object
11283 required:
11284 - topologyKey
11285 properties:
11286 labelSelector:
11287 description: A label query over a set of resources, in this case pods.
11288 type: object
11289 properties:
11290 matchExpressions:
11291 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
11292 type: array
11293 items:
11294 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11295 type: object
11296 required:
11297 - key
11298 - operator
11299 properties:
11300 key:
11301 description: key is the label key that the selector applies to.
11302 type: string
11303 operator:
11304 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
11305 type: string
11306 values:
11307 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
11308 type: array
11309 items:
11310 type: string
11311 matchLabels:
11312 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
11313 type: object
11314 additionalProperties:
11315 type: string
11316 namespaceSelector:
11317 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
11318 type: object
11319 properties:
11320 matchExpressions:
11321 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
11322 type: array
11323 items:
11324 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11325 type: object
11326 required:
11327 - key
11328 - operator
11329 properties:
11330 key:
11331 description: key is the label key that the selector applies to.
11332 type: string
11333 operator:
11334 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
11335 type: string
11336 values:
11337 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
11338 type: array
11339 items:
11340 type: string
11341 matchLabels:
11342 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
11343 type: object
11344 additionalProperties:
11345 type: string
11346 namespaces:
11347 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
11348 type: array
11349 items:
11350 type: string
11351 topologyKey:
11352 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
11353 type: string
11354 weight:
11355 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
11356 type: integer
11357 format: int32
11358 requiredDuringSchedulingIgnoredDuringExecution:
11359 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
11360 type: array
11361 items:
11362 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
11363 type: object
11364 required:
11365 - topologyKey
11366 properties:
11367 labelSelector:
11368 description: A label query over a set of resources, in this case pods.
11369 type: object
11370 properties:
11371 matchExpressions:
11372 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
11373 type: array
11374 items:
11375 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11376 type: object
11377 required:
11378 - key
11379 - operator
11380 properties:
11381 key:
11382 description: key is the label key that the selector applies to.
11383 type: string
11384 operator:
11385 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
11386 type: string
11387 values:
11388 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
11389 type: array
11390 items:
11391 type: string
11392 matchLabels:
11393 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
11394 type: object
11395 additionalProperties:
11396 type: string
11397 namespaceSelector:
11398 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
11399 type: object
11400 properties:
11401 matchExpressions:
11402 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
11403 type: array
11404 items:
11405 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11406 type: object
11407 required:
11408 - key
11409 - operator
11410 properties:
11411 key:
11412 description: key is the label key that the selector applies to.
11413 type: string
11414 operator:
11415 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
11416 type: string
11417 values:
11418 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
11419 type: array
11420 items:
11421 type: string
11422 matchLabels:
11423 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
11424 type: object
11425 additionalProperties:
11426 type: string
11427 namespaces:
11428 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
11429 type: array
11430 items:
11431 type: string
11432 topologyKey:
11433 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
11434 type: string
11435 podAntiAffinity:
11436 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
11437 type: object
11438 properties:
11439 preferredDuringSchedulingIgnoredDuringExecution:
11440 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
11441 type: array
11442 items:
11443 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
11444 type: object
11445 required:
11446 - podAffinityTerm
11447 - weight
11448 properties:
11449 podAffinityTerm:
11450 description: Required. A pod affinity term, associated with the corresponding weight.
11451 type: object
11452 required:
11453 - topologyKey
11454 properties:
11455 labelSelector:
11456 description: A label query over a set of resources, in this case pods.
11457 type: object
11458 properties:
11459 matchExpressions:
11460 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
11461 type: array
11462 items:
11463 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11464 type: object
11465 required:
11466 - key
11467 - operator
11468 properties:
11469 key:
11470 description: key is the label key that the selector applies to.
11471 type: string
11472 operator:
11473 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
11474 type: string
11475 values:
11476 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
11477 type: array
11478 items:
11479 type: string
11480 matchLabels:
11481 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
11482 type: object
11483 additionalProperties:
11484 type: string
11485 namespaceSelector:
11486 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
11487 type: object
11488 properties:
11489 matchExpressions:
11490 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
11491 type: array
11492 items:
11493 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11494 type: object
11495 required:
11496 - key
11497 - operator
11498 properties:
11499 key:
11500 description: key is the label key that the selector applies to.
11501 type: string
11502 operator:
11503 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
11504 type: string
11505 values:
11506 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
11507 type: array
11508 items:
11509 type: string
11510 matchLabels:
11511 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
11512 type: object
11513 additionalProperties:
11514 type: string
11515 namespaces:
11516 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
11517 type: array
11518 items:
11519 type: string
11520 topologyKey:
11521 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
11522 type: string
11523 weight:
11524 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
11525 type: integer
11526 format: int32
11527 requiredDuringSchedulingIgnoredDuringExecution:
11528 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
11529 type: array
11530 items:
11531 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
11532 type: object
11533 required:
11534 - topologyKey
11535 properties:
11536 labelSelector:
11537 description: A label query over a set of resources, in this case pods.
11538 type: object
11539 properties:
11540 matchExpressions:
11541 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
11542 type: array
11543 items:
11544 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11545 type: object
11546 required:
11547 - key
11548 - operator
11549 properties:
11550 key:
11551 description: key is the label key that the selector applies to.
11552 type: string
11553 operator:
11554 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
11555 type: string
11556 values:
11557 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
11558 type: array
11559 items:
11560 type: string
11561 matchLabels:
11562 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
11563 type: object
11564 additionalProperties:
11565 type: string
11566 namespaceSelector:
11567 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
11568 type: object
11569 properties:
11570 matchExpressions:
11571 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
11572 type: array
11573 items:
11574 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11575 type: object
11576 required:
11577 - key
11578 - operator
11579 properties:
11580 key:
11581 description: key is the label key that the selector applies to.
11582 type: string
11583 operator:
11584 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
11585 type: string
11586 values:
11587 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
11588 type: array
11589 items:
11590 type: string
11591 matchLabels:
11592 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
11593 type: object
11594 additionalProperties:
11595 type: string
11596 namespaces:
11597 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
11598 type: array
11599 items:
11600 type: string
11601 topologyKey:
11602 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
11603 type: string
11604 nodeSelector:
11605 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
11606 type: object
11607 additionalProperties:
11608 type: string
11609 priorityClassName:
11610 description: If specified, the pod's priorityClassName.
11611 type: string
11612 serviceAccountName:
11613 description: If specified, the pod's service account
11614 type: string
11615 tolerations:
11616 description: If specified, the pod's tolerations.
11617 type: array
11618 items:
11619 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
11620 type: object
11621 properties:
11622 effect:
11623 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
11624 type: string
11625 key:
11626 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
11627 type: string
11628 operator:
11629 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
11630 type: string
11631 tolerationSeconds:
11632 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
11633 type: integer
11634 format: int64
11635 value:
11636 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
11637 type: string
11638 serviceType:
11639 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
11640 type: string
11641 selector:
11642 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
11643 type: object
11644 properties:
11645 dnsNames:
11646 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
11647 type: array
11648 items:
11649 type: string
11650 dnsZones:
11651 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
11652 type: array
11653 items:
11654 type: string
11655 matchLabels:
11656 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
11657 type: object
11658 additionalProperties:
11659 type: string
11660 ca:
11661 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
11662 type: object
11663 required:
11664 - secretName
11665 properties:
11666 crlDistributionPoints:
11667 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
11668 type: array
11669 items:
11670 type: string
11671 ocspServers:
11672 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
11673 type: array
11674 items:
11675 type: string
11676 secretName:
11677 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
11678 type: string
11679 selfSigned:
11680 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
11681 type: object
11682 properties:
11683 crlDistributionPoints:
11684 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
11685 type: array
11686 items:
11687 type: string
11688 vault:
11689 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
11690 type: object
11691 required:
11692 - auth
11693 - path
11694 - server
11695 properties:
11696 auth:
11697 description: Auth configures how cert-manager authenticates with the Vault server.
11698 type: object
11699 properties:
11700 appRole:
11701 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
11702 type: object
11703 required:
11704 - path
11705 - roleId
11706 - secretRef
11707 properties:
11708 path:
11709 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
11710 type: string
11711 roleId:
11712 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
11713 type: string
11714 secretRef:
11715 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
11716 type: object
11717 required:
11718 - name
11719 properties:
11720 key:
11721 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11722 type: string
11723 name:
11724 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11725 type: string
11726 kubernetes:
11727 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
11728 type: object
11729 required:
11730 - role
11731 - secretRef
11732 properties:
11733 mountPath:
11734 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
11735 type: string
11736 role:
11737 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
11738 type: string
11739 secretRef:
11740 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
11741 type: object
11742 required:
11743 - name
11744 properties:
11745 key:
11746 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11747 type: string
11748 name:
11749 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11750 type: string
11751 tokenSecretRef:
11752 description: TokenSecretRef authenticates with Vault by presenting a token.
11753 type: object
11754 required:
11755 - name
11756 properties:
11757 key:
11758 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11759 type: string
11760 name:
11761 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11762 type: string
11763 caBundle:
11764 description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
11765 type: string
11766 format: byte
11767 namespace:
11768 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
11769 type: string
11770 path:
11771 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
11772 type: string
11773 server:
11774 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
11775 type: string
11776 venafi:
11777 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
11778 type: object
11779 required:
11780 - zone
11781 properties:
11782 cloud:
11783 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
11784 type: object
11785 required:
11786 - apiTokenSecretRef
11787 properties:
11788 apiTokenSecretRef:
11789 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
11790 type: object
11791 required:
11792 - name
11793 properties:
11794 key:
11795 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11796 type: string
11797 name:
11798 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11799 type: string
11800 url:
11801 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
11802 type: string
11803 tpp:
11804 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
11805 type: object
11806 required:
11807 - credentialsRef
11808 - url
11809 properties:
11810 caBundle:
11811 description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
11812 type: string
11813 format: byte
11814 credentialsRef:
11815 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
11816 type: object
11817 required:
11818 - name
11819 properties:
11820 name:
11821 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11822 type: string
11823 url:
11824 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
11825 type: string
11826 zone:
11827 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
11828 type: string
11829 status:
11830 description: Status of the Issuer. This is set and managed automatically.
11831 type: object
11832 properties:
11833 acme:
11834 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
11835 type: object
11836 properties:
11837 lastRegisteredEmail:
11838 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
11839 type: string
11840 uri:
11841 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
11842 type: string
11843 conditions:
11844 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
11845 type: array
11846 items:
11847 description: IssuerCondition contains condition information for an Issuer.
11848 type: object
11849 required:
11850 - status
11851 - type
11852 properties:
11853 lastTransitionTime:
11854 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
11855 type: string
11856 format: date-time
11857 message:
11858 description: Message is a human readable description of the details of the last transition, complementing reason.
11859 type: string
11860 observedGeneration:
11861 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
11862 type: integer
11863 format: int64
11864 reason:
11865 description: Reason is a brief machine readable explanation for the condition's last transition.
11866 type: string
11867 status:
11868 description: Status of the condition, one of (`True`, `False`, `Unknown`).
11869 type: string
11870 enum:
11871 - "True"
11872 - "False"
11873 - Unknown
11874 type:
11875 description: Type of the condition, known values are (`Ready`).
11876 type: string
11877 served: true
11878 storage: false
11879 - name: v1alpha3
11880 subresources:
11881 status: {}
11882 additionalPrinterColumns:
11883 - jsonPath: .status.conditions[?(@.type=="Ready")].status
11884 name: Ready
11885 type: string
11886 - jsonPath: .status.conditions[?(@.type=="Ready")].message
11887 name: Status
11888 priority: 1
11889 type: string
11890 - jsonPath: .metadata.creationTimestamp
11891 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
11892 name: Age
11893 type: date
11894 schema:
11895 openAPIV3Schema:
11896 description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace.
11897 type: object
11898 properties:
11899 apiVersion:
11900 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
11901 type: string
11902 kind:
11903 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
11904 type: string
11905 metadata:
11906 type: object
11907 spec:
11908 description: Desired state of the Issuer resource.
11909 type: object
11910 properties:
11911 acme:
11912 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
11913 type: object
11914 required:
11915 - privateKeySecretRef
11916 - server
11917 properties:
11918 disableAccountKeyGeneration:
11919 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
11920 type: boolean
11921 email:
11922 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
11923 type: string
11924 enableDurationFeature:
11925 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
11926 type: boolean
11927 externalAccountBinding:
11928 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
11929 type: object
11930 required:
11931 - keyID
11932 - keySecretRef
11933 properties:
11934 keyAlgorithm:
11935 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
11936 type: string
11937 enum:
11938 - HS256
11939 - HS384
11940 - HS512
11941 keyID:
11942 description: keyID is the ID of the CA key that the External Account is bound to.
11943 type: string
11944 keySecretRef:
11945 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
11946 type: object
11947 required:
11948 - name
11949 properties:
11950 key:
11951 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11952 type: string
11953 name:
11954 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11955 type: string
11956 preferredChain:
11957 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
11958 type: string
11959 maxLength: 64
11960 privateKeySecretRef:
11961 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
11962 type: object
11963 required:
11964 - name
11965 properties:
11966 key:
11967 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11968 type: string
11969 name:
11970 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11971 type: string
11972 server:
11973 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
11974 type: string
11975 skipTLSVerify:
11976 description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
11977 type: boolean
11978 solvers:
11979 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
11980 type: array
11981 items:
11982 description: Configures an issuer to solve challenges using the specified options. Only one of HTTP01 or DNS01 may be provided.
11983 type: object
11984 properties:
11985 dns01:
11986 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
11987 type: object
11988 properties:
11989 acmedns:
11990 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
11991 type: object
11992 required:
11993 - accountSecretRef
11994 - host
11995 properties:
11996 accountSecretRef:
11997 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
11998 type: object
11999 required:
12000 - name
12001 properties:
12002 key:
12003 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12004 type: string
12005 name:
12006 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12007 type: string
12008 host:
12009 type: string
12010 akamai:
12011 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
12012 type: object
12013 required:
12014 - accessTokenSecretRef
12015 - clientSecretSecretRef
12016 - clientTokenSecretRef
12017 - serviceConsumerDomain
12018 properties:
12019 accessTokenSecretRef:
12020 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
12021 type: object
12022 required:
12023 - name
12024 properties:
12025 key:
12026 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12027 type: string
12028 name:
12029 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12030 type: string
12031 clientSecretSecretRef:
12032 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
12033 type: object
12034 required:
12035 - name
12036 properties:
12037 key:
12038 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12039 type: string
12040 name:
12041 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12042 type: string
12043 clientTokenSecretRef:
12044 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
12045 type: object
12046 required:
12047 - name
12048 properties:
12049 key:
12050 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12051 type: string
12052 name:
12053 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12054 type: string
12055 serviceConsumerDomain:
12056 type: string
12057 azuredns:
12058 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
12059 type: object
12060 required:
12061 - resourceGroupName
12062 - subscriptionID
12063 properties:
12064 clientID:
12065 description: if both this and ClientSecret are left unset MSI will be used
12066 type: string
12067 clientSecretSecretRef:
12068 description: if both this and ClientID are left unset MSI will be used
12069 type: object
12070 required:
12071 - name
12072 properties:
12073 key:
12074 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12075 type: string
12076 name:
12077 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12078 type: string
12079 environment:
12080 type: string
12081 enum:
12082 - AzurePublicCloud
12083 - AzureChinaCloud
12084 - AzureGermanCloud
12085 - AzureUSGovernmentCloud
12086 hostedZoneName:
12087 type: string
12088 resourceGroupName:
12089 type: string
12090 subscriptionID:
12091 type: string
12092 tenantID:
12093 description: when specifying ClientID and ClientSecret then this field is also needed
12094 type: string
12095 clouddns:
12096 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
12097 type: object
12098 required:
12099 - project
12100 properties:
12101 hostedZoneName:
12102 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
12103 type: string
12104 project:
12105 type: string
12106 serviceAccountSecretRef:
12107 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
12108 type: object
12109 required:
12110 - name
12111 properties:
12112 key:
12113 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12114 type: string
12115 name:
12116 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12117 type: string
12118 cloudflare:
12119 description: Use the Cloudflare API to manage DNS01 challenge records.
12120 type: object
12121 properties:
12122 apiKeySecretRef:
12123 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
12124 type: object
12125 required:
12126 - name
12127 properties:
12128 key:
12129 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12130 type: string
12131 name:
12132 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12133 type: string
12134 apiTokenSecretRef:
12135 description: API token used to authenticate with Cloudflare.
12136 type: object
12137 required:
12138 - name
12139 properties:
12140 key:
12141 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12142 type: string
12143 name:
12144 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12145 type: string
12146 email:
12147 description: Email of the account, only required when using API key based authentication.
12148 type: string
12149 cnameStrategy:
12150 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
12151 type: string
12152 enum:
12153 - None
12154 - Follow
12155 digitalocean:
12156 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
12157 type: object
12158 required:
12159 - tokenSecretRef
12160 properties:
12161 tokenSecretRef:
12162 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
12163 type: object
12164 required:
12165 - name
12166 properties:
12167 key:
12168 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12169 type: string
12170 name:
12171 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12172 type: string
12173 rfc2136:
12174 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
12175 type: object
12176 required:
12177 - nameserver
12178 properties:
12179 nameserver:
12180 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
12181 type: string
12182 tsigAlgorithm:
12183 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
12184 type: string
12185 tsigKeyName:
12186 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
12187 type: string
12188 tsigSecretSecretRef:
12189 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
12190 type: object
12191 required:
12192 - name
12193 properties:
12194 key:
12195 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12196 type: string
12197 name:
12198 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12199 type: string
12200 route53:
12201 description: Use the AWS Route53 API to manage DNS01 challenge records.
12202 type: object
12203 required:
12204 - region
12205 properties:
12206 accessKeyID:
12207 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
12208 type: string
12209 hostedZoneID:
12210 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
12211 type: string
12212 region:
12213 description: Always set the region when using AccessKeyID and SecretAccessKey
12214 type: string
12215 role:
12216 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
12217 type: string
12218 secretAccessKeySecretRef:
12219 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
12220 type: object
12221 required:
12222 - name
12223 properties:
12224 key:
12225 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12226 type: string
12227 name:
12228 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12229 type: string
12230 webhook:
12231 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
12232 type: object
12233 required:
12234 - groupName
12235 - solverName
12236 properties:
12237 config:
12238 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
12239 x-kubernetes-preserve-unknown-fields: true
12240 groupName:
12241 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
12242 type: string
12243 solverName:
12244 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
12245 type: string
12246 http01:
12247 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
12248 type: object
12249 properties:
12250 gatewayHTTPRoute:
12251 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
12252 type: object
12253 properties:
12254 labels:
12255 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
12256 type: object
12257 additionalProperties:
12258 type: string
12259 serviceType:
12260 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
12261 type: string
12262 ingress:
12263 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
12264 type: object
12265 properties:
12266 class:
12267 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
12268 type: string
12269 ingressTemplate:
12270 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges
12271 type: object
12272 properties:
12273 metadata:
12274 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
12275 type: object
12276 properties:
12277 annotations:
12278 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
12279 type: object
12280 additionalProperties:
12281 type: string
12282 labels:
12283 description: Labels that should be added to the created ACME HTTP01 solver ingress.
12284 type: object
12285 additionalProperties:
12286 type: string
12287 name:
12288 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
12289 type: string
12290 podTemplate:
12291 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
12292 type: object
12293 properties:
12294 metadata:
12295 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
12296 type: object
12297 properties:
12298 annotations:
12299 description: Annotations that should be added to the create ACME HTTP01 solver pods.
12300 type: object
12301 additionalProperties:
12302 type: string
12303 labels:
12304 description: Labels that should be added to the created ACME HTTP01 solver pods.
12305 type: object
12306 additionalProperties:
12307 type: string
12308 spec:
12309 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
12310 type: object
12311 properties:
12312 affinity:
12313 description: If specified, the pod's scheduling constraints
12314 type: object
12315 properties:
12316 nodeAffinity:
12317 description: Describes node affinity scheduling rules for the pod.
12318 type: object
12319 properties:
12320 preferredDuringSchedulingIgnoredDuringExecution:
12321 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
12322 type: array
12323 items:
12324 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
12325 type: object
12326 required:
12327 - preference
12328 - weight
12329 properties:
12330 preference:
12331 description: A node selector term, associated with the corresponding weight.
12332 type: object
12333 properties:
12334 matchExpressions:
12335 description: A list of node selector requirements by node's labels.
12336 type: array
12337 items:
12338 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12339 type: object
12340 required:
12341 - key
12342 - operator
12343 properties:
12344 key:
12345 description: The label key that the selector applies to.
12346 type: string
12347 operator:
12348 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
12349 type: string
12350 values:
12351 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
12352 type: array
12353 items:
12354 type: string
12355 matchFields:
12356 description: A list of node selector requirements by node's fields.
12357 type: array
12358 items:
12359 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12360 type: object
12361 required:
12362 - key
12363 - operator
12364 properties:
12365 key:
12366 description: The label key that the selector applies to.
12367 type: string
12368 operator:
12369 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
12370 type: string
12371 values:
12372 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
12373 type: array
12374 items:
12375 type: string
12376 weight:
12377 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
12378 type: integer
12379 format: int32
12380 requiredDuringSchedulingIgnoredDuringExecution:
12381 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
12382 type: object
12383 required:
12384 - nodeSelectorTerms
12385 properties:
12386 nodeSelectorTerms:
12387 description: Required. A list of node selector terms. The terms are ORed.
12388 type: array
12389 items:
12390 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
12391 type: object
12392 properties:
12393 matchExpressions:
12394 description: A list of node selector requirements by node's labels.
12395 type: array
12396 items:
12397 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12398 type: object
12399 required:
12400 - key
12401 - operator
12402 properties:
12403 key:
12404 description: The label key that the selector applies to.
12405 type: string
12406 operator:
12407 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
12408 type: string
12409 values:
12410 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
12411 type: array
12412 items:
12413 type: string
12414 matchFields:
12415 description: A list of node selector requirements by node's fields.
12416 type: array
12417 items:
12418 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12419 type: object
12420 required:
12421 - key
12422 - operator
12423 properties:
12424 key:
12425 description: The label key that the selector applies to.
12426 type: string
12427 operator:
12428 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
12429 type: string
12430 values:
12431 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
12432 type: array
12433 items:
12434 type: string
12435 podAffinity:
12436 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
12437 type: object
12438 properties:
12439 preferredDuringSchedulingIgnoredDuringExecution:
12440 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
12441 type: array
12442 items:
12443 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
12444 type: object
12445 required:
12446 - podAffinityTerm
12447 - weight
12448 properties:
12449 podAffinityTerm:
12450 description: Required. A pod affinity term, associated with the corresponding weight.
12451 type: object
12452 required:
12453 - topologyKey
12454 properties:
12455 labelSelector:
12456 description: A label query over a set of resources, in this case pods.
12457 type: object
12458 properties:
12459 matchExpressions:
12460 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
12461 type: array
12462 items:
12463 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12464 type: object
12465 required:
12466 - key
12467 - operator
12468 properties:
12469 key:
12470 description: key is the label key that the selector applies to.
12471 type: string
12472 operator:
12473 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
12474 type: string
12475 values:
12476 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
12477 type: array
12478 items:
12479 type: string
12480 matchLabels:
12481 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
12482 type: object
12483 additionalProperties:
12484 type: string
12485 namespaceSelector:
12486 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
12487 type: object
12488 properties:
12489 matchExpressions:
12490 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
12491 type: array
12492 items:
12493 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12494 type: object
12495 required:
12496 - key
12497 - operator
12498 properties:
12499 key:
12500 description: key is the label key that the selector applies to.
12501 type: string
12502 operator:
12503 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
12504 type: string
12505 values:
12506 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
12507 type: array
12508 items:
12509 type: string
12510 matchLabels:
12511 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
12512 type: object
12513 additionalProperties:
12514 type: string
12515 namespaces:
12516 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
12517 type: array
12518 items:
12519 type: string
12520 topologyKey:
12521 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
12522 type: string
12523 weight:
12524 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
12525 type: integer
12526 format: int32
12527 requiredDuringSchedulingIgnoredDuringExecution:
12528 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
12529 type: array
12530 items:
12531 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
12532 type: object
12533 required:
12534 - topologyKey
12535 properties:
12536 labelSelector:
12537 description: A label query over a set of resources, in this case pods.
12538 type: object
12539 properties:
12540 matchExpressions:
12541 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
12542 type: array
12543 items:
12544 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12545 type: object
12546 required:
12547 - key
12548 - operator
12549 properties:
12550 key:
12551 description: key is the label key that the selector applies to.
12552 type: string
12553 operator:
12554 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
12555 type: string
12556 values:
12557 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
12558 type: array
12559 items:
12560 type: string
12561 matchLabels:
12562 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
12563 type: object
12564 additionalProperties:
12565 type: string
12566 namespaceSelector:
12567 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
12568 type: object
12569 properties:
12570 matchExpressions:
12571 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
12572 type: array
12573 items:
12574 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12575 type: object
12576 required:
12577 - key
12578 - operator
12579 properties:
12580 key:
12581 description: key is the label key that the selector applies to.
12582 type: string
12583 operator:
12584 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
12585 type: string
12586 values:
12587 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
12588 type: array
12589 items:
12590 type: string
12591 matchLabels:
12592 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
12593 type: object
12594 additionalProperties:
12595 type: string
12596 namespaces:
12597 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
12598 type: array
12599 items:
12600 type: string
12601 topologyKey:
12602 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
12603 type: string
12604 podAntiAffinity:
12605 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
12606 type: object
12607 properties:
12608 preferredDuringSchedulingIgnoredDuringExecution:
12609 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
12610 type: array
12611 items:
12612 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
12613 type: object
12614 required:
12615 - podAffinityTerm
12616 - weight
12617 properties:
12618 podAffinityTerm:
12619 description: Required. A pod affinity term, associated with the corresponding weight.
12620 type: object
12621 required:
12622 - topologyKey
12623 properties:
12624 labelSelector:
12625 description: A label query over a set of resources, in this case pods.
12626 type: object
12627 properties:
12628 matchExpressions:
12629 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
12630 type: array
12631 items:
12632 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12633 type: object
12634 required:
12635 - key
12636 - operator
12637 properties:
12638 key:
12639 description: key is the label key that the selector applies to.
12640 type: string
12641 operator:
12642 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
12643 type: string
12644 values:
12645 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
12646 type: array
12647 items:
12648 type: string
12649 matchLabels:
12650 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
12651 type: object
12652 additionalProperties:
12653 type: string
12654 namespaceSelector:
12655 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
12656 type: object
12657 properties:
12658 matchExpressions:
12659 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
12660 type: array
12661 items:
12662 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12663 type: object
12664 required:
12665 - key
12666 - operator
12667 properties:
12668 key:
12669 description: key is the label key that the selector applies to.
12670 type: string
12671 operator:
12672 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
12673 type: string
12674 values:
12675 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
12676 type: array
12677 items:
12678 type: string
12679 matchLabels:
12680 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
12681 type: object
12682 additionalProperties:
12683 type: string
12684 namespaces:
12685 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
12686 type: array
12687 items:
12688 type: string
12689 topologyKey:
12690 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
12691 type: string
12692 weight:
12693 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
12694 type: integer
12695 format: int32
12696 requiredDuringSchedulingIgnoredDuringExecution:
12697 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
12698 type: array
12699 items:
12700 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
12701 type: object
12702 required:
12703 - topologyKey
12704 properties:
12705 labelSelector:
12706 description: A label query over a set of resources, in this case pods.
12707 type: object
12708 properties:
12709 matchExpressions:
12710 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
12711 type: array
12712 items:
12713 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12714 type: object
12715 required:
12716 - key
12717 - operator
12718 properties:
12719 key:
12720 description: key is the label key that the selector applies to.
12721 type: string
12722 operator:
12723 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
12724 type: string
12725 values:
12726 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
12727 type: array
12728 items:
12729 type: string
12730 matchLabels:
12731 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
12732 type: object
12733 additionalProperties:
12734 type: string
12735 namespaceSelector:
12736 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
12737 type: object
12738 properties:
12739 matchExpressions:
12740 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
12741 type: array
12742 items:
12743 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12744 type: object
12745 required:
12746 - key
12747 - operator
12748 properties:
12749 key:
12750 description: key is the label key that the selector applies to.
12751 type: string
12752 operator:
12753 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
12754 type: string
12755 values:
12756 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
12757 type: array
12758 items:
12759 type: string
12760 matchLabels:
12761 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
12762 type: object
12763 additionalProperties:
12764 type: string
12765 namespaces:
12766 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
12767 type: array
12768 items:
12769 type: string
12770 topologyKey:
12771 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
12772 type: string
12773 nodeSelector:
12774 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
12775 type: object
12776 additionalProperties:
12777 type: string
12778 priorityClassName:
12779 description: If specified, the pod's priorityClassName.
12780 type: string
12781 serviceAccountName:
12782 description: If specified, the pod's service account
12783 type: string
12784 tolerations:
12785 description: If specified, the pod's tolerations.
12786 type: array
12787 items:
12788 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
12789 type: object
12790 properties:
12791 effect:
12792 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
12793 type: string
12794 key:
12795 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
12796 type: string
12797 operator:
12798 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
12799 type: string
12800 tolerationSeconds:
12801 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
12802 type: integer
12803 format: int64
12804 value:
12805 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
12806 type: string
12807 serviceType:
12808 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
12809 type: string
12810 selector:
12811 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
12812 type: object
12813 properties:
12814 dnsNames:
12815 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
12816 type: array
12817 items:
12818 type: string
12819 dnsZones:
12820 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
12821 type: array
12822 items:
12823 type: string
12824 matchLabels:
12825 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
12826 type: object
12827 additionalProperties:
12828 type: string
12829 ca:
12830 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
12831 type: object
12832 required:
12833 - secretName
12834 properties:
12835 crlDistributionPoints:
12836 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
12837 type: array
12838 items:
12839 type: string
12840 ocspServers:
12841 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
12842 type: array
12843 items:
12844 type: string
12845 secretName:
12846 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
12847 type: string
12848 selfSigned:
12849 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
12850 type: object
12851 properties:
12852 crlDistributionPoints:
12853 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
12854 type: array
12855 items:
12856 type: string
12857 vault:
12858 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
12859 type: object
12860 required:
12861 - auth
12862 - path
12863 - server
12864 properties:
12865 auth:
12866 description: Auth configures how cert-manager authenticates with the Vault server.
12867 type: object
12868 properties:
12869 appRole:
12870 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
12871 type: object
12872 required:
12873 - path
12874 - roleId
12875 - secretRef
12876 properties:
12877 path:
12878 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
12879 type: string
12880 roleId:
12881 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
12882 type: string
12883 secretRef:
12884 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
12885 type: object
12886 required:
12887 - name
12888 properties:
12889 key:
12890 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12891 type: string
12892 name:
12893 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12894 type: string
12895 kubernetes:
12896 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
12897 type: object
12898 required:
12899 - role
12900 - secretRef
12901 properties:
12902 mountPath:
12903 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
12904 type: string
12905 role:
12906 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
12907 type: string
12908 secretRef:
12909 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
12910 type: object
12911 required:
12912 - name
12913 properties:
12914 key:
12915 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12916 type: string
12917 name:
12918 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12919 type: string
12920 tokenSecretRef:
12921 description: TokenSecretRef authenticates with Vault by presenting a token.
12922 type: object
12923 required:
12924 - name
12925 properties:
12926 key:
12927 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12928 type: string
12929 name:
12930 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12931 type: string
12932 caBundle:
12933 description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
12934 type: string
12935 format: byte
12936 namespace:
12937 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
12938 type: string
12939 path:
12940 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
12941 type: string
12942 server:
12943 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
12944 type: string
12945 venafi:
12946 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
12947 type: object
12948 required:
12949 - zone
12950 properties:
12951 cloud:
12952 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
12953 type: object
12954 required:
12955 - apiTokenSecretRef
12956 properties:
12957 apiTokenSecretRef:
12958 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
12959 type: object
12960 required:
12961 - name
12962 properties:
12963 key:
12964 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12965 type: string
12966 name:
12967 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12968 type: string
12969 url:
12970 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
12971 type: string
12972 tpp:
12973 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
12974 type: object
12975 required:
12976 - credentialsRef
12977 - url
12978 properties:
12979 caBundle:
12980 description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
12981 type: string
12982 format: byte
12983 credentialsRef:
12984 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
12985 type: object
12986 required:
12987 - name
12988 properties:
12989 name:
12990 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12991 type: string
12992 url:
12993 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
12994 type: string
12995 zone:
12996 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
12997 type: string
12998 status:
12999 description: Status of the Issuer. This is set and managed automatically.
13000 type: object
13001 properties:
13002 acme:
13003 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
13004 type: object
13005 properties:
13006 lastRegisteredEmail:
13007 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
13008 type: string
13009 uri:
13010 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
13011 type: string
13012 conditions:
13013 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
13014 type: array
13015 items:
13016 description: IssuerCondition contains condition information for an Issuer.
13017 type: object
13018 required:
13019 - status
13020 - type
13021 properties:
13022 lastTransitionTime:
13023 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
13024 type: string
13025 format: date-time
13026 message:
13027 description: Message is a human readable description of the details of the last transition, complementing reason.
13028 type: string
13029 observedGeneration:
13030 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
13031 type: integer
13032 format: int64
13033 reason:
13034 description: Reason is a brief machine readable explanation for the condition's last transition.
13035 type: string
13036 status:
13037 description: Status of the condition, one of (`True`, `False`, `Unknown`).
13038 type: string
13039 enum:
13040 - "True"
13041 - "False"
13042 - Unknown
13043 type:
13044 description: Type of the condition, known values are (`Ready`).
13045 type: string
13046 served: true
13047 storage: false
13048 - name: v1beta1
13049 subresources:
13050 status: {}
13051 additionalPrinterColumns:
13052 - jsonPath: .status.conditions[?(@.type=="Ready")].status
13053 name: Ready
13054 type: string
13055 - jsonPath: .status.conditions[?(@.type=="Ready")].message
13056 name: Status
13057 priority: 1
13058 type: string
13059 - jsonPath: .metadata.creationTimestamp
13060 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
13061 name: Age
13062 type: date
13063 schema:
13064 openAPIV3Schema:
13065 description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace.
13066 type: object
13067 required:
13068 - spec
13069 properties:
13070 apiVersion:
13071 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
13072 type: string
13073 kind:
13074 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
13075 type: string
13076 metadata:
13077 type: object
13078 spec:
13079 description: Desired state of the Issuer resource.
13080 type: object
13081 properties:
13082 acme:
13083 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
13084 type: object
13085 required:
13086 - privateKeySecretRef
13087 - server
13088 properties:
13089 disableAccountKeyGeneration:
13090 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
13091 type: boolean
13092 email:
13093 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
13094 type: string
13095 enableDurationFeature:
13096 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
13097 type: boolean
13098 externalAccountBinding:
13099 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
13100 type: object
13101 required:
13102 - keyID
13103 - keySecretRef
13104 properties:
13105 keyAlgorithm:
13106 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
13107 type: string
13108 enum:
13109 - HS256
13110 - HS384
13111 - HS512
13112 keyID:
13113 description: keyID is the ID of the CA key that the External Account is bound to.
13114 type: string
13115 keySecretRef:
13116 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
13117 type: object
13118 required:
13119 - name
13120 properties:
13121 key:
13122 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13123 type: string
13124 name:
13125 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13126 type: string
13127 preferredChain:
13128 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
13129 type: string
13130 maxLength: 64
13131 privateKeySecretRef:
13132 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
13133 type: object
13134 required:
13135 - name
13136 properties:
13137 key:
13138 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13139 type: string
13140 name:
13141 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13142 type: string
13143 server:
13144 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
13145 type: string
13146 skipTLSVerify:
13147 description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
13148 type: boolean
13149 solvers:
13150 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
13151 type: array
13152 items:
13153 description: Configures an issuer to solve challenges using the specified options. Only one of HTTP01 or DNS01 may be provided.
13154 type: object
13155 properties:
13156 dns01:
13157 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
13158 type: object
13159 properties:
13160 acmeDNS:
13161 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
13162 type: object
13163 required:
13164 - accountSecretRef
13165 - host
13166 properties:
13167 accountSecretRef:
13168 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
13169 type: object
13170 required:
13171 - name
13172 properties:
13173 key:
13174 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13175 type: string
13176 name:
13177 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13178 type: string
13179 host:
13180 type: string
13181 akamai:
13182 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
13183 type: object
13184 required:
13185 - accessTokenSecretRef
13186 - clientSecretSecretRef
13187 - clientTokenSecretRef
13188 - serviceConsumerDomain
13189 properties:
13190 accessTokenSecretRef:
13191 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
13192 type: object
13193 required:
13194 - name
13195 properties:
13196 key:
13197 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13198 type: string
13199 name:
13200 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13201 type: string
13202 clientSecretSecretRef:
13203 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
13204 type: object
13205 required:
13206 - name
13207 properties:
13208 key:
13209 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13210 type: string
13211 name:
13212 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13213 type: string
13214 clientTokenSecretRef:
13215 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
13216 type: object
13217 required:
13218 - name
13219 properties:
13220 key:
13221 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13222 type: string
13223 name:
13224 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13225 type: string
13226 serviceConsumerDomain:
13227 type: string
13228 azureDNS:
13229 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
13230 type: object
13231 required:
13232 - resourceGroupName
13233 - subscriptionID
13234 properties:
13235 clientID:
13236 description: if both this and ClientSecret are left unset MSI will be used
13237 type: string
13238 clientSecretSecretRef:
13239 description: if both this and ClientID are left unset MSI will be used
13240 type: object
13241 required:
13242 - name
13243 properties:
13244 key:
13245 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13246 type: string
13247 name:
13248 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13249 type: string
13250 environment:
13251 type: string
13252 enum:
13253 - AzurePublicCloud
13254 - AzureChinaCloud
13255 - AzureGermanCloud
13256 - AzureUSGovernmentCloud
13257 hostedZoneName:
13258 type: string
13259 resourceGroupName:
13260 type: string
13261 subscriptionID:
13262 type: string
13263 tenantID:
13264 description: when specifying ClientID and ClientSecret then this field is also needed
13265 type: string
13266 cloudDNS:
13267 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
13268 type: object
13269 required:
13270 - project
13271 properties:
13272 hostedZoneName:
13273 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
13274 type: string
13275 project:
13276 type: string
13277 serviceAccountSecretRef:
13278 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
13279 type: object
13280 required:
13281 - name
13282 properties:
13283 key:
13284 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13285 type: string
13286 name:
13287 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13288 type: string
13289 cloudflare:
13290 description: Use the Cloudflare API to manage DNS01 challenge records.
13291 type: object
13292 properties:
13293 apiKeySecretRef:
13294 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
13295 type: object
13296 required:
13297 - name
13298 properties:
13299 key:
13300 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13301 type: string
13302 name:
13303 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13304 type: string
13305 apiTokenSecretRef:
13306 description: API token used to authenticate with Cloudflare.
13307 type: object
13308 required:
13309 - name
13310 properties:
13311 key:
13312 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13313 type: string
13314 name:
13315 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13316 type: string
13317 email:
13318 description: Email of the account, only required when using API key based authentication.
13319 type: string
13320 cnameStrategy:
13321 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
13322 type: string
13323 enum:
13324 - None
13325 - Follow
13326 digitalocean:
13327 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
13328 type: object
13329 required:
13330 - tokenSecretRef
13331 properties:
13332 tokenSecretRef:
13333 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
13334 type: object
13335 required:
13336 - name
13337 properties:
13338 key:
13339 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13340 type: string
13341 name:
13342 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13343 type: string
13344 rfc2136:
13345 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
13346 type: object
13347 required:
13348 - nameserver
13349 properties:
13350 nameserver:
13351 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
13352 type: string
13353 tsigAlgorithm:
13354 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
13355 type: string
13356 tsigKeyName:
13357 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
13358 type: string
13359 tsigSecretSecretRef:
13360 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
13361 type: object
13362 required:
13363 - name
13364 properties:
13365 key:
13366 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13367 type: string
13368 name:
13369 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13370 type: string
13371 route53:
13372 description: Use the AWS Route53 API to manage DNS01 challenge records.
13373 type: object
13374 required:
13375 - region
13376 properties:
13377 accessKeyID:
13378 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
13379 type: string
13380 hostedZoneID:
13381 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
13382 type: string
13383 region:
13384 description: Always set the region when using AccessKeyID and SecretAccessKey
13385 type: string
13386 role:
13387 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
13388 type: string
13389 secretAccessKeySecretRef:
13390 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
13391 type: object
13392 required:
13393 - name
13394 properties:
13395 key:
13396 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13397 type: string
13398 name:
13399 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13400 type: string
13401 webhook:
13402 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
13403 type: object
13404 required:
13405 - groupName
13406 - solverName
13407 properties:
13408 config:
13409 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
13410 x-kubernetes-preserve-unknown-fields: true
13411 groupName:
13412 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
13413 type: string
13414 solverName:
13415 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
13416 type: string
13417 http01:
13418 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
13419 type: object
13420 properties:
13421 gatewayHTTPRoute:
13422 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
13423 type: object
13424 properties:
13425 labels:
13426 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
13427 type: object
13428 additionalProperties:
13429 type: string
13430 serviceType:
13431 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
13432 type: string
13433 ingress:
13434 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
13435 type: object
13436 properties:
13437 class:
13438 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
13439 type: string
13440 ingressTemplate:
13441 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
13442 type: object
13443 properties:
13444 metadata:
13445 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
13446 type: object
13447 properties:
13448 annotations:
13449 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
13450 type: object
13451 additionalProperties:
13452 type: string
13453 labels:
13454 description: Labels that should be added to the created ACME HTTP01 solver ingress.
13455 type: object
13456 additionalProperties:
13457 type: string
13458 name:
13459 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
13460 type: string
13461 podTemplate:
13462 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges
13463 type: object
13464 properties:
13465 metadata:
13466 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
13467 type: object
13468 properties:
13469 annotations:
13470 description: Annotations that should be added to the create ACME HTTP01 solver pods.
13471 type: object
13472 additionalProperties:
13473 type: string
13474 labels:
13475 description: Labels that should be added to the created ACME HTTP01 solver pods.
13476 type: object
13477 additionalProperties:
13478 type: string
13479 spec:
13480 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
13481 type: object
13482 properties:
13483 affinity:
13484 description: If specified, the pod's scheduling constraints
13485 type: object
13486 properties:
13487 nodeAffinity:
13488 description: Describes node affinity scheduling rules for the pod.
13489 type: object
13490 properties:
13491 preferredDuringSchedulingIgnoredDuringExecution:
13492 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
13493 type: array
13494 items:
13495 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
13496 type: object
13497 required:
13498 - preference
13499 - weight
13500 properties:
13501 preference:
13502 description: A node selector term, associated with the corresponding weight.
13503 type: object
13504 properties:
13505 matchExpressions:
13506 description: A list of node selector requirements by node's labels.
13507 type: array
13508 items:
13509 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13510 type: object
13511 required:
13512 - key
13513 - operator
13514 properties:
13515 key:
13516 description: The label key that the selector applies to.
13517 type: string
13518 operator:
13519 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
13520 type: string
13521 values:
13522 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
13523 type: array
13524 items:
13525 type: string
13526 matchFields:
13527 description: A list of node selector requirements by node's fields.
13528 type: array
13529 items:
13530 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13531 type: object
13532 required:
13533 - key
13534 - operator
13535 properties:
13536 key:
13537 description: The label key that the selector applies to.
13538 type: string
13539 operator:
13540 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
13541 type: string
13542 values:
13543 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
13544 type: array
13545 items:
13546 type: string
13547 weight:
13548 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
13549 type: integer
13550 format: int32
13551 requiredDuringSchedulingIgnoredDuringExecution:
13552 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
13553 type: object
13554 required:
13555 - nodeSelectorTerms
13556 properties:
13557 nodeSelectorTerms:
13558 description: Required. A list of node selector terms. The terms are ORed.
13559 type: array
13560 items:
13561 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
13562 type: object
13563 properties:
13564 matchExpressions:
13565 description: A list of node selector requirements by node's labels.
13566 type: array
13567 items:
13568 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13569 type: object
13570 required:
13571 - key
13572 - operator
13573 properties:
13574 key:
13575 description: The label key that the selector applies to.
13576 type: string
13577 operator:
13578 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
13579 type: string
13580 values:
13581 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
13582 type: array
13583 items:
13584 type: string
13585 matchFields:
13586 description: A list of node selector requirements by node's fields.
13587 type: array
13588 items:
13589 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13590 type: object
13591 required:
13592 - key
13593 - operator
13594 properties:
13595 key:
13596 description: The label key that the selector applies to.
13597 type: string
13598 operator:
13599 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
13600 type: string
13601 values:
13602 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
13603 type: array
13604 items:
13605 type: string
13606 podAffinity:
13607 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
13608 type: object
13609 properties:
13610 preferredDuringSchedulingIgnoredDuringExecution:
13611 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
13612 type: array
13613 items:
13614 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
13615 type: object
13616 required:
13617 - podAffinityTerm
13618 - weight
13619 properties:
13620 podAffinityTerm:
13621 description: Required. A pod affinity term, associated with the corresponding weight.
13622 type: object
13623 required:
13624 - topologyKey
13625 properties:
13626 labelSelector:
13627 description: A label query over a set of resources, in this case pods.
13628 type: object
13629 properties:
13630 matchExpressions:
13631 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
13632 type: array
13633 items:
13634 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13635 type: object
13636 required:
13637 - key
13638 - operator
13639 properties:
13640 key:
13641 description: key is the label key that the selector applies to.
13642 type: string
13643 operator:
13644 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
13645 type: string
13646 values:
13647 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
13648 type: array
13649 items:
13650 type: string
13651 matchLabels:
13652 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
13653 type: object
13654 additionalProperties:
13655 type: string
13656 namespaceSelector:
13657 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
13658 type: object
13659 properties:
13660 matchExpressions:
13661 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
13662 type: array
13663 items:
13664 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13665 type: object
13666 required:
13667 - key
13668 - operator
13669 properties:
13670 key:
13671 description: key is the label key that the selector applies to.
13672 type: string
13673 operator:
13674 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
13675 type: string
13676 values:
13677 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
13678 type: array
13679 items:
13680 type: string
13681 matchLabels:
13682 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
13683 type: object
13684 additionalProperties:
13685 type: string
13686 namespaces:
13687 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
13688 type: array
13689 items:
13690 type: string
13691 topologyKey:
13692 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
13693 type: string
13694 weight:
13695 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
13696 type: integer
13697 format: int32
13698 requiredDuringSchedulingIgnoredDuringExecution:
13699 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
13700 type: array
13701 items:
13702 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
13703 type: object
13704 required:
13705 - topologyKey
13706 properties:
13707 labelSelector:
13708 description: A label query over a set of resources, in this case pods.
13709 type: object
13710 properties:
13711 matchExpressions:
13712 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
13713 type: array
13714 items:
13715 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13716 type: object
13717 required:
13718 - key
13719 - operator
13720 properties:
13721 key:
13722 description: key is the label key that the selector applies to.
13723 type: string
13724 operator:
13725 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
13726 type: string
13727 values:
13728 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
13729 type: array
13730 items:
13731 type: string
13732 matchLabels:
13733 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
13734 type: object
13735 additionalProperties:
13736 type: string
13737 namespaceSelector:
13738 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
13739 type: object
13740 properties:
13741 matchExpressions:
13742 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
13743 type: array
13744 items:
13745 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13746 type: object
13747 required:
13748 - key
13749 - operator
13750 properties:
13751 key:
13752 description: key is the label key that the selector applies to.
13753 type: string
13754 operator:
13755 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
13756 type: string
13757 values:
13758 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
13759 type: array
13760 items:
13761 type: string
13762 matchLabels:
13763 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
13764 type: object
13765 additionalProperties:
13766 type: string
13767 namespaces:
13768 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
13769 type: array
13770 items:
13771 type: string
13772 topologyKey:
13773 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
13774 type: string
13775 podAntiAffinity:
13776 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
13777 type: object
13778 properties:
13779 preferredDuringSchedulingIgnoredDuringExecution:
13780 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
13781 type: array
13782 items:
13783 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
13784 type: object
13785 required:
13786 - podAffinityTerm
13787 - weight
13788 properties:
13789 podAffinityTerm:
13790 description: Required. A pod affinity term, associated with the corresponding weight.
13791 type: object
13792 required:
13793 - topologyKey
13794 properties:
13795 labelSelector:
13796 description: A label query over a set of resources, in this case pods.
13797 type: object
13798 properties:
13799 matchExpressions:
13800 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
13801 type: array
13802 items:
13803 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13804 type: object
13805 required:
13806 - key
13807 - operator
13808 properties:
13809 key:
13810 description: key is the label key that the selector applies to.
13811 type: string
13812 operator:
13813 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
13814 type: string
13815 values:
13816 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
13817 type: array
13818 items:
13819 type: string
13820 matchLabels:
13821 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
13822 type: object
13823 additionalProperties:
13824 type: string
13825 namespaceSelector:
13826 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
13827 type: object
13828 properties:
13829 matchExpressions:
13830 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
13831 type: array
13832 items:
13833 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13834 type: object
13835 required:
13836 - key
13837 - operator
13838 properties:
13839 key:
13840 description: key is the label key that the selector applies to.
13841 type: string
13842 operator:
13843 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
13844 type: string
13845 values:
13846 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
13847 type: array
13848 items:
13849 type: string
13850 matchLabels:
13851 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
13852 type: object
13853 additionalProperties:
13854 type: string
13855 namespaces:
13856 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
13857 type: array
13858 items:
13859 type: string
13860 topologyKey:
13861 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
13862 type: string
13863 weight:
13864 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
13865 type: integer
13866 format: int32
13867 requiredDuringSchedulingIgnoredDuringExecution:
13868 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
13869 type: array
13870 items:
13871 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
13872 type: object
13873 required:
13874 - topologyKey
13875 properties:
13876 labelSelector:
13877 description: A label query over a set of resources, in this case pods.
13878 type: object
13879 properties:
13880 matchExpressions:
13881 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
13882 type: array
13883 items:
13884 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13885 type: object
13886 required:
13887 - key
13888 - operator
13889 properties:
13890 key:
13891 description: key is the label key that the selector applies to.
13892 type: string
13893 operator:
13894 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
13895 type: string
13896 values:
13897 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
13898 type: array
13899 items:
13900 type: string
13901 matchLabels:
13902 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
13903 type: object
13904 additionalProperties:
13905 type: string
13906 namespaceSelector:
13907 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
13908 type: object
13909 properties:
13910 matchExpressions:
13911 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
13912 type: array
13913 items:
13914 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13915 type: object
13916 required:
13917 - key
13918 - operator
13919 properties:
13920 key:
13921 description: key is the label key that the selector applies to.
13922 type: string
13923 operator:
13924 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
13925 type: string
13926 values:
13927 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
13928 type: array
13929 items:
13930 type: string
13931 matchLabels:
13932 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
13933 type: object
13934 additionalProperties:
13935 type: string
13936 namespaces:
13937 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
13938 type: array
13939 items:
13940 type: string
13941 topologyKey:
13942 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
13943 type: string
13944 nodeSelector:
13945 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
13946 type: object
13947 additionalProperties:
13948 type: string
13949 priorityClassName:
13950 description: If specified, the pod's priorityClassName.
13951 type: string
13952 serviceAccountName:
13953 description: If specified, the pod's service account
13954 type: string
13955 tolerations:
13956 description: If specified, the pod's tolerations.
13957 type: array
13958 items:
13959 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
13960 type: object
13961 properties:
13962 effect:
13963 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
13964 type: string
13965 key:
13966 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
13967 type: string
13968 operator:
13969 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
13970 type: string
13971 tolerationSeconds:
13972 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
13973 type: integer
13974 format: int64
13975 value:
13976 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
13977 type: string
13978 serviceType:
13979 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
13980 type: string
13981 selector:
13982 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
13983 type: object
13984 properties:
13985 dnsNames:
13986 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
13987 type: array
13988 items:
13989 type: string
13990 dnsZones:
13991 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
13992 type: array
13993 items:
13994 type: string
13995 matchLabels:
13996 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
13997 type: object
13998 additionalProperties:
13999 type: string
14000 ca:
14001 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
14002 type: object
14003 required:
14004 - secretName
14005 properties:
14006 crlDistributionPoints:
14007 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
14008 type: array
14009 items:
14010 type: string
14011 ocspServers:
14012 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
14013 type: array
14014 items:
14015 type: string
14016 secretName:
14017 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
14018 type: string
14019 selfSigned:
14020 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
14021 type: object
14022 properties:
14023 crlDistributionPoints:
14024 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
14025 type: array
14026 items:
14027 type: string
14028 vault:
14029 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
14030 type: object
14031 required:
14032 - auth
14033 - path
14034 - server
14035 properties:
14036 auth:
14037 description: Auth configures how cert-manager authenticates with the Vault server.
14038 type: object
14039 properties:
14040 appRole:
14041 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
14042 type: object
14043 required:
14044 - path
14045 - roleId
14046 - secretRef
14047 properties:
14048 path:
14049 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
14050 type: string
14051 roleId:
14052 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
14053 type: string
14054 secretRef:
14055 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
14056 type: object
14057 required:
14058 - name
14059 properties:
14060 key:
14061 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14062 type: string
14063 name:
14064 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14065 type: string
14066 kubernetes:
14067 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
14068 type: object
14069 required:
14070 - role
14071 - secretRef
14072 properties:
14073 mountPath:
14074 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
14075 type: string
14076 role:
14077 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
14078 type: string
14079 secretRef:
14080 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
14081 type: object
14082 required:
14083 - name
14084 properties:
14085 key:
14086 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14087 type: string
14088 name:
14089 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14090 type: string
14091 tokenSecretRef:
14092 description: TokenSecretRef authenticates with Vault by presenting a token.
14093 type: object
14094 required:
14095 - name
14096 properties:
14097 key:
14098 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14099 type: string
14100 name:
14101 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14102 type: string
14103 caBundle:
14104 description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
14105 type: string
14106 format: byte
14107 namespace:
14108 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
14109 type: string
14110 path:
14111 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
14112 type: string
14113 server:
14114 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
14115 type: string
14116 venafi:
14117 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
14118 type: object
14119 required:
14120 - zone
14121 properties:
14122 cloud:
14123 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
14124 type: object
14125 required:
14126 - apiTokenSecretRef
14127 properties:
14128 apiTokenSecretRef:
14129 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
14130 type: object
14131 required:
14132 - name
14133 properties:
14134 key:
14135 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14136 type: string
14137 name:
14138 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14139 type: string
14140 url:
14141 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
14142 type: string
14143 tpp:
14144 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
14145 type: object
14146 required:
14147 - credentialsRef
14148 - url
14149 properties:
14150 caBundle:
14151 description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
14152 type: string
14153 format: byte
14154 credentialsRef:
14155 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
14156 type: object
14157 required:
14158 - name
14159 properties:
14160 name:
14161 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14162 type: string
14163 url:
14164 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
14165 type: string
14166 zone:
14167 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
14168 type: string
14169 status:
14170 description: Status of the Issuer. This is set and managed automatically.
14171 type: object
14172 properties:
14173 acme:
14174 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
14175 type: object
14176 properties:
14177 lastRegisteredEmail:
14178 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
14179 type: string
14180 uri:
14181 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
14182 type: string
14183 conditions:
14184 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
14185 type: array
14186 items:
14187 description: IssuerCondition contains condition information for an Issuer.
14188 type: object
14189 required:
14190 - status
14191 - type
14192 properties:
14193 lastTransitionTime:
14194 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
14195 type: string
14196 format: date-time
14197 message:
14198 description: Message is a human readable description of the details of the last transition, complementing reason.
14199 type: string
14200 observedGeneration:
14201 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
14202 type: integer
14203 format: int64
14204 reason:
14205 description: Reason is a brief machine readable explanation for the condition's last transition.
14206 type: string
14207 status:
14208 description: Status of the condition, one of (`True`, `False`, `Unknown`).
14209 type: string
14210 enum:
14211 - "True"
14212 - "False"
14213 - Unknown
14214 type:
14215 description: Type of the condition, known values are (`Ready`).
14216 type: string
14217 served: true
14218 storage: false
14219 - name: v1
14220 subresources:
14221 status: {}
14222 additionalPrinterColumns:
14223 - jsonPath: .status.conditions[?(@.type=="Ready")].status
14224 name: Ready
14225 type: string
14226 - jsonPath: .status.conditions[?(@.type=="Ready")].message
14227 name: Status
14228 priority: 1
14229 type: string
14230 - jsonPath: .metadata.creationTimestamp
14231 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
14232 name: Age
14233 type: date
14234 schema:
14235 openAPIV3Schema:
14236 description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace.
14237 type: object
14238 required:
14239 - spec
14240 properties:
14241 apiVersion:
14242 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
14243 type: string
14244 kind:
14245 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
14246 type: string
14247 metadata:
14248 type: object
14249 spec:
14250 description: Desired state of the Issuer resource.
14251 type: object
14252 properties:
14253 acme:
14254 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
14255 type: object
14256 required:
14257 - privateKeySecretRef
14258 - server
14259 properties:
14260 disableAccountKeyGeneration:
14261 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
14262 type: boolean
14263 email:
14264 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
14265 type: string
14266 enableDurationFeature:
14267 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
14268 type: boolean
14269 externalAccountBinding:
14270 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
14271 type: object
14272 required:
14273 - keyID
14274 - keySecretRef
14275 properties:
14276 keyAlgorithm:
14277 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
14278 type: string
14279 enum:
14280 - HS256
14281 - HS384
14282 - HS512
14283 keyID:
14284 description: keyID is the ID of the CA key that the External Account is bound to.
14285 type: string
14286 keySecretRef:
14287 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
14288 type: object
14289 required:
14290 - name
14291 properties:
14292 key:
14293 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14294 type: string
14295 name:
14296 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14297 type: string
14298 preferredChain:
14299 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
14300 type: string
14301 maxLength: 64
14302 privateKeySecretRef:
14303 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
14304 type: object
14305 required:
14306 - name
14307 properties:
14308 key:
14309 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14310 type: string
14311 name:
14312 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14313 type: string
14314 server:
14315 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
14316 type: string
14317 skipTLSVerify:
14318 description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
14319 type: boolean
14320 solvers:
14321 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
14322 type: array
14323 items:
14324 description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided.
14325 type: object
14326 properties:
14327 dns01:
14328 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
14329 type: object
14330 properties:
14331 acmeDNS:
14332 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
14333 type: object
14334 required:
14335 - accountSecretRef
14336 - host
14337 properties:
14338 accountSecretRef:
14339 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
14340 type: object
14341 required:
14342 - name
14343 properties:
14344 key:
14345 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14346 type: string
14347 name:
14348 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14349 type: string
14350 host:
14351 type: string
14352 akamai:
14353 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
14354 type: object
14355 required:
14356 - accessTokenSecretRef
14357 - clientSecretSecretRef
14358 - clientTokenSecretRef
14359 - serviceConsumerDomain
14360 properties:
14361 accessTokenSecretRef:
14362 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
14363 type: object
14364 required:
14365 - name
14366 properties:
14367 key:
14368 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14369 type: string
14370 name:
14371 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14372 type: string
14373 clientSecretSecretRef:
14374 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
14375 type: object
14376 required:
14377 - name
14378 properties:
14379 key:
14380 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14381 type: string
14382 name:
14383 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14384 type: string
14385 clientTokenSecretRef:
14386 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
14387 type: object
14388 required:
14389 - name
14390 properties:
14391 key:
14392 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14393 type: string
14394 name:
14395 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14396 type: string
14397 serviceConsumerDomain:
14398 type: string
14399 azureDNS:
14400 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
14401 type: object
14402 required:
14403 - resourceGroupName
14404 - subscriptionID
14405 properties:
14406 clientID:
14407 description: if both this and ClientSecret are left unset MSI will be used
14408 type: string
14409 clientSecretSecretRef:
14410 description: if both this and ClientID are left unset MSI will be used
14411 type: object
14412 required:
14413 - name
14414 properties:
14415 key:
14416 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14417 type: string
14418 name:
14419 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14420 type: string
14421 environment:
14422 type: string
14423 enum:
14424 - AzurePublicCloud
14425 - AzureChinaCloud
14426 - AzureGermanCloud
14427 - AzureUSGovernmentCloud
14428 hostedZoneName:
14429 type: string
14430 resourceGroupName:
14431 type: string
14432 subscriptionID:
14433 type: string
14434 tenantID:
14435 description: when specifying ClientID and ClientSecret then this field is also needed
14436 type: string
14437 cloudDNS:
14438 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
14439 type: object
14440 required:
14441 - project
14442 properties:
14443 hostedZoneName:
14444 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
14445 type: string
14446 project:
14447 type: string
14448 serviceAccountSecretRef:
14449 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
14450 type: object
14451 required:
14452 - name
14453 properties:
14454 key:
14455 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14456 type: string
14457 name:
14458 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14459 type: string
14460 cloudflare:
14461 description: Use the Cloudflare API to manage DNS01 challenge records.
14462 type: object
14463 properties:
14464 apiKeySecretRef:
14465 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
14466 type: object
14467 required:
14468 - name
14469 properties:
14470 key:
14471 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14472 type: string
14473 name:
14474 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14475 type: string
14476 apiTokenSecretRef:
14477 description: API token used to authenticate with Cloudflare.
14478 type: object
14479 required:
14480 - name
14481 properties:
14482 key:
14483 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14484 type: string
14485 name:
14486 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14487 type: string
14488 email:
14489 description: Email of the account, only required when using API key based authentication.
14490 type: string
14491 cnameStrategy:
14492 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
14493 type: string
14494 enum:
14495 - None
14496 - Follow
14497 digitalocean:
14498 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
14499 type: object
14500 required:
14501 - tokenSecretRef
14502 properties:
14503 tokenSecretRef:
14504 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
14505 type: object
14506 required:
14507 - name
14508 properties:
14509 key:
14510 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14511 type: string
14512 name:
14513 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14514 type: string
14515 rfc2136:
14516 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
14517 type: object
14518 required:
14519 - nameserver
14520 properties:
14521 nameserver:
14522 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
14523 type: string
14524 tsigAlgorithm:
14525 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
14526 type: string
14527 tsigKeyName:
14528 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
14529 type: string
14530 tsigSecretSecretRef:
14531 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
14532 type: object
14533 required:
14534 - name
14535 properties:
14536 key:
14537 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14538 type: string
14539 name:
14540 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14541 type: string
14542 route53:
14543 description: Use the AWS Route53 API to manage DNS01 challenge records.
14544 type: object
14545 required:
14546 - region
14547 properties:
14548 accessKeyID:
14549 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
14550 type: string
14551 hostedZoneID:
14552 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
14553 type: string
14554 region:
14555 description: Always set the region when using AccessKeyID and SecretAccessKey
14556 type: string
14557 role:
14558 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
14559 type: string
14560 secretAccessKeySecretRef:
14561 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
14562 type: object
14563 required:
14564 - name
14565 properties:
14566 key:
14567 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14568 type: string
14569 name:
14570 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14571 type: string
14572 webhook:
14573 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
14574 type: object
14575 required:
14576 - groupName
14577 - solverName
14578 properties:
14579 config:
14580 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
14581 x-kubernetes-preserve-unknown-fields: true
14582 groupName:
14583 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
14584 type: string
14585 solverName:
14586 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
14587 type: string
14588 http01:
14589 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
14590 type: object
14591 properties:
14592 gatewayHTTPRoute:
14593 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
14594 type: object
14595 properties:
14596 labels:
14597 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
14598 type: object
14599 additionalProperties:
14600 type: string
14601 serviceType:
14602 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
14603 type: string
14604 ingress:
14605 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
14606 type: object
14607 properties:
14608 class:
14609 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
14610 type: string
14611 ingressTemplate:
14612 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
14613 type: object
14614 properties:
14615 metadata:
14616 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
14617 type: object
14618 properties:
14619 annotations:
14620 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
14621 type: object
14622 additionalProperties:
14623 type: string
14624 labels:
14625 description: Labels that should be added to the created ACME HTTP01 solver ingress.
14626 type: object
14627 additionalProperties:
14628 type: string
14629 name:
14630 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
14631 type: string
14632 podTemplate:
14633 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
14634 type: object
14635 properties:
14636 metadata:
14637 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
14638 type: object
14639 properties:
14640 annotations:
14641 description: Annotations that should be added to the create ACME HTTP01 solver pods.
14642 type: object
14643 additionalProperties:
14644 type: string
14645 labels:
14646 description: Labels that should be added to the created ACME HTTP01 solver pods.
14647 type: object
14648 additionalProperties:
14649 type: string
14650 spec:
14651 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
14652 type: object
14653 properties:
14654 affinity:
14655 description: If specified, the pod's scheduling constraints
14656 type: object
14657 properties:
14658 nodeAffinity:
14659 description: Describes node affinity scheduling rules for the pod.
14660 type: object
14661 properties:
14662 preferredDuringSchedulingIgnoredDuringExecution:
14663 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
14664 type: array
14665 items:
14666 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
14667 type: object
14668 required:
14669 - preference
14670 - weight
14671 properties:
14672 preference:
14673 description: A node selector term, associated with the corresponding weight.
14674 type: object
14675 properties:
14676 matchExpressions:
14677 description: A list of node selector requirements by node's labels.
14678 type: array
14679 items:
14680 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
14681 type: object
14682 required:
14683 - key
14684 - operator
14685 properties:
14686 key:
14687 description: The label key that the selector applies to.
14688 type: string
14689 operator:
14690 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
14691 type: string
14692 values:
14693 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
14694 type: array
14695 items:
14696 type: string
14697 matchFields:
14698 description: A list of node selector requirements by node's fields.
14699 type: array
14700 items:
14701 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
14702 type: object
14703 required:
14704 - key
14705 - operator
14706 properties:
14707 key:
14708 description: The label key that the selector applies to.
14709 type: string
14710 operator:
14711 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
14712 type: string
14713 values:
14714 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
14715 type: array
14716 items:
14717 type: string
14718 weight:
14719 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
14720 type: integer
14721 format: int32
14722 requiredDuringSchedulingIgnoredDuringExecution:
14723 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
14724 type: object
14725 required:
14726 - nodeSelectorTerms
14727 properties:
14728 nodeSelectorTerms:
14729 description: Required. A list of node selector terms. The terms are ORed.
14730 type: array
14731 items:
14732 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
14733 type: object
14734 properties:
14735 matchExpressions:
14736 description: A list of node selector requirements by node's labels.
14737 type: array
14738 items:
14739 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
14740 type: object
14741 required:
14742 - key
14743 - operator
14744 properties:
14745 key:
14746 description: The label key that the selector applies to.
14747 type: string
14748 operator:
14749 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
14750 type: string
14751 values:
14752 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
14753 type: array
14754 items:
14755 type: string
14756 matchFields:
14757 description: A list of node selector requirements by node's fields.
14758 type: array
14759 items:
14760 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
14761 type: object
14762 required:
14763 - key
14764 - operator
14765 properties:
14766 key:
14767 description: The label key that the selector applies to.
14768 type: string
14769 operator:
14770 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
14771 type: string
14772 values:
14773 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
14774 type: array
14775 items:
14776 type: string
14777 podAffinity:
14778 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
14779 type: object
14780 properties:
14781 preferredDuringSchedulingIgnoredDuringExecution:
14782 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
14783 type: array
14784 items:
14785 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
14786 type: object
14787 required:
14788 - podAffinityTerm
14789 - weight
14790 properties:
14791 podAffinityTerm:
14792 description: Required. A pod affinity term, associated with the corresponding weight.
14793 type: object
14794 required:
14795 - topologyKey
14796 properties:
14797 labelSelector:
14798 description: A label query over a set of resources, in this case pods.
14799 type: object
14800 properties:
14801 matchExpressions:
14802 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
14803 type: array
14804 items:
14805 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
14806 type: object
14807 required:
14808 - key
14809 - operator
14810 properties:
14811 key:
14812 description: key is the label key that the selector applies to.
14813 type: string
14814 operator:
14815 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
14816 type: string
14817 values:
14818 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
14819 type: array
14820 items:
14821 type: string
14822 matchLabels:
14823 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
14824 type: object
14825 additionalProperties:
14826 type: string
14827 namespaceSelector:
14828 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
14829 type: object
14830 properties:
14831 matchExpressions:
14832 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
14833 type: array
14834 items:
14835 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
14836 type: object
14837 required:
14838 - key
14839 - operator
14840 properties:
14841 key:
14842 description: key is the label key that the selector applies to.
14843 type: string
14844 operator:
14845 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
14846 type: string
14847 values:
14848 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
14849 type: array
14850 items:
14851 type: string
14852 matchLabels:
14853 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
14854 type: object
14855 additionalProperties:
14856 type: string
14857 namespaces:
14858 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
14859 type: array
14860 items:
14861 type: string
14862 topologyKey:
14863 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
14864 type: string
14865 weight:
14866 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
14867 type: integer
14868 format: int32
14869 requiredDuringSchedulingIgnoredDuringExecution:
14870 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
14871 type: array
14872 items:
14873 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
14874 type: object
14875 required:
14876 - topologyKey
14877 properties:
14878 labelSelector:
14879 description: A label query over a set of resources, in this case pods.
14880 type: object
14881 properties:
14882 matchExpressions:
14883 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
14884 type: array
14885 items:
14886 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
14887 type: object
14888 required:
14889 - key
14890 - operator
14891 properties:
14892 key:
14893 description: key is the label key that the selector applies to.
14894 type: string
14895 operator:
14896 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
14897 type: string
14898 values:
14899 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
14900 type: array
14901 items:
14902 type: string
14903 matchLabels:
14904 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
14905 type: object
14906 additionalProperties:
14907 type: string
14908 namespaceSelector:
14909 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
14910 type: object
14911 properties:
14912 matchExpressions:
14913 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
14914 type: array
14915 items:
14916 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
14917 type: object
14918 required:
14919 - key
14920 - operator
14921 properties:
14922 key:
14923 description: key is the label key that the selector applies to.
14924 type: string
14925 operator:
14926 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
14927 type: string
14928 values:
14929 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
14930 type: array
14931 items:
14932 type: string
14933 matchLabels:
14934 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
14935 type: object
14936 additionalProperties:
14937 type: string
14938 namespaces:
14939 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
14940 type: array
14941 items:
14942 type: string
14943 topologyKey:
14944 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
14945 type: string
14946 podAntiAffinity:
14947 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
14948 type: object
14949 properties:
14950 preferredDuringSchedulingIgnoredDuringExecution:
14951 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
14952 type: array
14953 items:
14954 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
14955 type: object
14956 required:
14957 - podAffinityTerm
14958 - weight
14959 properties:
14960 podAffinityTerm:
14961 description: Required. A pod affinity term, associated with the corresponding weight.
14962 type: object
14963 required:
14964 - topologyKey
14965 properties:
14966 labelSelector:
14967 description: A label query over a set of resources, in this case pods.
14968 type: object
14969 properties:
14970 matchExpressions:
14971 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
14972 type: array
14973 items:
14974 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
14975 type: object
14976 required:
14977 - key
14978 - operator
14979 properties:
14980 key:
14981 description: key is the label key that the selector applies to.
14982 type: string
14983 operator:
14984 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
14985 type: string
14986 values:
14987 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
14988 type: array
14989 items:
14990 type: string
14991 matchLabels:
14992 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
14993 type: object
14994 additionalProperties:
14995 type: string
14996 namespaceSelector:
14997 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
14998 type: object
14999 properties:
15000 matchExpressions:
15001 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
15002 type: array
15003 items:
15004 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
15005 type: object
15006 required:
15007 - key
15008 - operator
15009 properties:
15010 key:
15011 description: key is the label key that the selector applies to.
15012 type: string
15013 operator:
15014 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
15015 type: string
15016 values:
15017 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
15018 type: array
15019 items:
15020 type: string
15021 matchLabels:
15022 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
15023 type: object
15024 additionalProperties:
15025 type: string
15026 namespaces:
15027 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
15028 type: array
15029 items:
15030 type: string
15031 topologyKey:
15032 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
15033 type: string
15034 weight:
15035 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
15036 type: integer
15037 format: int32
15038 requiredDuringSchedulingIgnoredDuringExecution:
15039 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
15040 type: array
15041 items:
15042 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
15043 type: object
15044 required:
15045 - topologyKey
15046 properties:
15047 labelSelector:
15048 description: A label query over a set of resources, in this case pods.
15049 type: object
15050 properties:
15051 matchExpressions:
15052 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
15053 type: array
15054 items:
15055 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
15056 type: object
15057 required:
15058 - key
15059 - operator
15060 properties:
15061 key:
15062 description: key is the label key that the selector applies to.
15063 type: string
15064 operator:
15065 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
15066 type: string
15067 values:
15068 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
15069 type: array
15070 items:
15071 type: string
15072 matchLabels:
15073 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
15074 type: object
15075 additionalProperties:
15076 type: string
15077 namespaceSelector:
15078 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
15079 type: object
15080 properties:
15081 matchExpressions:
15082 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
15083 type: array
15084 items:
15085 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
15086 type: object
15087 required:
15088 - key
15089 - operator
15090 properties:
15091 key:
15092 description: key is the label key that the selector applies to.
15093 type: string
15094 operator:
15095 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
15096 type: string
15097 values:
15098 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
15099 type: array
15100 items:
15101 type: string
15102 matchLabels:
15103 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
15104 type: object
15105 additionalProperties:
15106 type: string
15107 namespaces:
15108 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
15109 type: array
15110 items:
15111 type: string
15112 topologyKey:
15113 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
15114 type: string
15115 nodeSelector:
15116 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
15117 type: object
15118 additionalProperties:
15119 type: string
15120 priorityClassName:
15121 description: If specified, the pod's priorityClassName.
15122 type: string
15123 serviceAccountName:
15124 description: If specified, the pod's service account
15125 type: string
15126 tolerations:
15127 description: If specified, the pod's tolerations.
15128 type: array
15129 items:
15130 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
15131 type: object
15132 properties:
15133 effect:
15134 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
15135 type: string
15136 key:
15137 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
15138 type: string
15139 operator:
15140 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
15141 type: string
15142 tolerationSeconds:
15143 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
15144 type: integer
15145 format: int64
15146 value:
15147 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
15148 type: string
15149 serviceType:
15150 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
15151 type: string
15152 selector:
15153 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
15154 type: object
15155 properties:
15156 dnsNames:
15157 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
15158 type: array
15159 items:
15160 type: string
15161 dnsZones:
15162 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
15163 type: array
15164 items:
15165 type: string
15166 matchLabels:
15167 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
15168 type: object
15169 additionalProperties:
15170 type: string
15171 ca:
15172 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
15173 type: object
15174 required:
15175 - secretName
15176 properties:
15177 crlDistributionPoints:
15178 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
15179 type: array
15180 items:
15181 type: string
15182 ocspServers:
15183 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
15184 type: array
15185 items:
15186 type: string
15187 secretName:
15188 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
15189 type: string
15190 selfSigned:
15191 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
15192 type: object
15193 properties:
15194 crlDistributionPoints:
15195 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
15196 type: array
15197 items:
15198 type: string
15199 vault:
15200 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
15201 type: object
15202 required:
15203 - auth
15204 - path
15205 - server
15206 properties:
15207 auth:
15208 description: Auth configures how cert-manager authenticates with the Vault server.
15209 type: object
15210 properties:
15211 appRole:
15212 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
15213 type: object
15214 required:
15215 - path
15216 - roleId
15217 - secretRef
15218 properties:
15219 path:
15220 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
15221 type: string
15222 roleId:
15223 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
15224 type: string
15225 secretRef:
15226 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
15227 type: object
15228 required:
15229 - name
15230 properties:
15231 key:
15232 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
15233 type: string
15234 name:
15235 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
15236 type: string
15237 kubernetes:
15238 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
15239 type: object
15240 required:
15241 - role
15242 - secretRef
15243 properties:
15244 mountPath:
15245 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
15246 type: string
15247 role:
15248 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
15249 type: string
15250 secretRef:
15251 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
15252 type: object
15253 required:
15254 - name
15255 properties:
15256 key:
15257 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
15258 type: string
15259 name:
15260 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
15261 type: string
15262 tokenSecretRef:
15263 description: TokenSecretRef authenticates with Vault by presenting a token.
15264 type: object
15265 required:
15266 - name
15267 properties:
15268 key:
15269 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
15270 type: string
15271 name:
15272 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
15273 type: string
15274 caBundle:
15275 description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
15276 type: string
15277 format: byte
15278 namespace:
15279 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
15280 type: string
15281 path:
15282 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
15283 type: string
15284 server:
15285 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
15286 type: string
15287 venafi:
15288 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
15289 type: object
15290 required:
15291 - zone
15292 properties:
15293 cloud:
15294 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
15295 type: object
15296 required:
15297 - apiTokenSecretRef
15298 properties:
15299 apiTokenSecretRef:
15300 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
15301 type: object
15302 required:
15303 - name
15304 properties:
15305 key:
15306 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
15307 type: string
15308 name:
15309 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
15310 type: string
15311 url:
15312 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
15313 type: string
15314 tpp:
15315 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
15316 type: object
15317 required:
15318 - credentialsRef
15319 - url
15320 properties:
15321 caBundle:
15322 description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
15323 type: string
15324 format: byte
15325 credentialsRef:
15326 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
15327 type: object
15328 required:
15329 - name
15330 properties:
15331 name:
15332 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
15333 type: string
15334 url:
15335 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
15336 type: string
15337 zone:
15338 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
15339 type: string
15340 status:
15341 description: Status of the Issuer. This is set and managed automatically.
15342 type: object
15343 properties:
15344 acme:
15345 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
15346 type: object
15347 properties:
15348 lastRegisteredEmail:
15349 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
15350 type: string
15351 uri:
15352 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
15353 type: string
15354 conditions:
15355 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
15356 type: array
15357 items:
15358 description: IssuerCondition contains condition information for an Issuer.
15359 type: object
15360 required:
15361 - status
15362 - type
15363 properties:
15364 lastTransitionTime:
15365 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
15366 type: string
15367 format: date-time
15368 message:
15369 description: Message is a human readable description of the details of the last transition, complementing reason.
15370 type: string
15371 observedGeneration:
15372 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
15373 type: integer
15374 format: int64
15375 reason:
15376 description: Reason is a brief machine readable explanation for the condition's last transition.
15377 type: string
15378 status:
15379 description: Status of the condition, one of (`True`, `False`, `Unknown`).
15380 type: string
15381 enum:
15382 - "True"
15383 - "False"
15384 - Unknown
15385 type:
15386 description: Type of the condition, known values are (`Ready`).
15387 type: string
15388 served: true
15389 storage: true
15390---
15391# Source: cert-manager/templates/templates.out
15392apiVersion: apiextensions.k8s.io/v1
15393kind: CustomResourceDefinition
15394metadata:
15395 name: orders.acme.cert-manager.io
15396 annotations:
15397 cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
15398 labels:
15399 app: 'cert-manager'
15400 app.kubernetes.io/name: 'cert-manager'
15401 app.kubernetes.io/instance: 'cert-manager'
15402 # Generated labels
15403 app.kubernetes.io/version: "v1.5.4"
15404spec:
15405 group: acme.cert-manager.io
15406 names:
15407 kind: Order
15408 listKind: OrderList
15409 plural: orders
15410 singular: order
15411 categories:
15412 - cert-manager
15413 - cert-manager-acme
15414 scope: Namespaced
15415 conversion:
15416 # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
15417 strategy: Webhook
15418 # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
15419 webhook:
15420 # We don't actually support `v1beta1` but is listed here as it is a
15421 # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The
15422 # API server reads the supported versions in order, so _should always_
15423 # attempt a `v1` request which is understood by the cert-manager webhook.
15424 # Any `v1beta1` request will return an error and fail closed for that
15425 # resource (the whole object request is rejected).
15426 # When we no longer support v1.16 we can remove `v1beta1` from this list.
15427 conversionReviewVersions: ["v1", "v1beta1"]
15428 clientConfig:
15429 #
15430 service:
15431 name: 'cert-manager-webhook'
15432 namespace: "cert-manager"
15433 path: /convert
15434 #
15435 versions:
15436 - name: v1alpha2
15437 subresources:
15438 status: {}
15439 additionalPrinterColumns:
15440 - jsonPath: .status.state
15441 name: State
15442 type: string
15443 - jsonPath: .spec.issuerRef.name
15444 name: Issuer
15445 priority: 1
15446 type: string
15447 - jsonPath: .status.reason
15448 name: Reason
15449 priority: 1
15450 type: string
15451 - jsonPath: .metadata.creationTimestamp
15452 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
15453 name: Age
15454 type: date
15455 schema:
15456 openAPIV3Schema:
15457 description: Order is a type to represent an Order with an ACME server
15458 type: object
15459 required:
15460 - metadata
15461 properties:
15462 apiVersion:
15463 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
15464 type: string
15465 kind:
15466 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
15467 type: string
15468 metadata:
15469 type: object
15470 spec:
15471 type: object
15472 required:
15473 - csr
15474 - issuerRef
15475 properties:
15476 commonName:
15477 description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
15478 type: string
15479 csr:
15480 description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
15481 type: string
15482 format: byte
15483 dnsNames:
15484 description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
15485 type: array
15486 items:
15487 type: string
15488 duration:
15489 description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
15490 type: string
15491 ipAddresses:
15492 description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
15493 type: array
15494 items:
15495 type: string
15496 issuerRef:
15497 description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
15498 type: object
15499 required:
15500 - name
15501 properties:
15502 group:
15503 description: Group of the resource being referred to.
15504 type: string
15505 kind:
15506 description: Kind of the resource being referred to.
15507 type: string
15508 name:
15509 description: Name of the resource being referred to.
15510 type: string
15511 status:
15512 type: object
15513 properties:
15514 authorizations:
15515 description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.
15516 type: array
15517 items:
15518 description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
15519 type: object
15520 required:
15521 - url
15522 properties:
15523 challenges:
15524 description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
15525 type: array
15526 items:
15527 description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
15528 type: object
15529 required:
15530 - token
15531 - type
15532 - url
15533 properties:
15534 token:
15535 description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
15536 type: string
15537 type:
15538 description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.
15539 type: string
15540 url:
15541 description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
15542 type: string
15543 identifier:
15544 description: Identifier is the DNS name to be validated as part of this authorization
15545 type: string
15546 initialState:
15547 description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.
15548 type: string
15549 enum:
15550 - valid
15551 - ready
15552 - pending
15553 - processing
15554 - invalid
15555 - expired
15556 - errored
15557 url:
15558 description: URL is the URL of the Authorization that must be completed
15559 type: string
15560 wildcard:
15561 description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
15562 type: boolean
15563 certificate:
15564 description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
15565 type: string
15566 format: byte
15567 failureTime:
15568 description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
15569 type: string
15570 format: date-time
15571 finalizeURL:
15572 description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
15573 type: string
15574 reason:
15575 description: Reason optionally provides more information about a why the order is in the current state.
15576 type: string
15577 state:
15578 description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
15579 type: string
15580 enum:
15581 - valid
15582 - ready
15583 - pending
15584 - processing
15585 - invalid
15586 - expired
15587 - errored
15588 url:
15589 description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
15590 type: string
15591 served: true
15592 storage: false
15593 - name: v1alpha3
15594 subresources:
15595 status: {}
15596 additionalPrinterColumns:
15597 - jsonPath: .status.state
15598 name: State
15599 type: string
15600 - jsonPath: .spec.issuerRef.name
15601 name: Issuer
15602 priority: 1
15603 type: string
15604 - jsonPath: .status.reason
15605 name: Reason
15606 priority: 1
15607 type: string
15608 - jsonPath: .metadata.creationTimestamp
15609 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
15610 name: Age
15611 type: date
15612 schema:
15613 openAPIV3Schema:
15614 description: Order is a type to represent an Order with an ACME server
15615 type: object
15616 required:
15617 - metadata
15618 properties:
15619 apiVersion:
15620 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
15621 type: string
15622 kind:
15623 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
15624 type: string
15625 metadata:
15626 type: object
15627 spec:
15628 type: object
15629 required:
15630 - csr
15631 - issuerRef
15632 properties:
15633 commonName:
15634 description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
15635 type: string
15636 csr:
15637 description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
15638 type: string
15639 format: byte
15640 dnsNames:
15641 description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
15642 type: array
15643 items:
15644 type: string
15645 duration:
15646 description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
15647 type: string
15648 ipAddresses:
15649 description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
15650 type: array
15651 items:
15652 type: string
15653 issuerRef:
15654 description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
15655 type: object
15656 required:
15657 - name
15658 properties:
15659 group:
15660 description: Group of the resource being referred to.
15661 type: string
15662 kind:
15663 description: Kind of the resource being referred to.
15664 type: string
15665 name:
15666 description: Name of the resource being referred to.
15667 type: string
15668 status:
15669 type: object
15670 properties:
15671 authorizations:
15672 description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.
15673 type: array
15674 items:
15675 description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
15676 type: object
15677 required:
15678 - url
15679 properties:
15680 challenges:
15681 description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
15682 type: array
15683 items:
15684 description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
15685 type: object
15686 required:
15687 - token
15688 - type
15689 - url
15690 properties:
15691 token:
15692 description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
15693 type: string
15694 type:
15695 description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.
15696 type: string
15697 url:
15698 description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
15699 type: string
15700 identifier:
15701 description: Identifier is the DNS name to be validated as part of this authorization
15702 type: string
15703 initialState:
15704 description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.
15705 type: string
15706 enum:
15707 - valid
15708 - ready
15709 - pending
15710 - processing
15711 - invalid
15712 - expired
15713 - errored
15714 url:
15715 description: URL is the URL of the Authorization that must be completed
15716 type: string
15717 wildcard:
15718 description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
15719 type: boolean
15720 certificate:
15721 description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
15722 type: string
15723 format: byte
15724 failureTime:
15725 description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
15726 type: string
15727 format: date-time
15728 finalizeURL:
15729 description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
15730 type: string
15731 reason:
15732 description: Reason optionally provides more information about a why the order is in the current state.
15733 type: string
15734 state:
15735 description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
15736 type: string
15737 enum:
15738 - valid
15739 - ready
15740 - pending
15741 - processing
15742 - invalid
15743 - expired
15744 - errored
15745 url:
15746 description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
15747 type: string
15748 served: true
15749 storage: false
15750 - name: v1beta1
15751 subresources:
15752 status: {}
15753 additionalPrinterColumns:
15754 - jsonPath: .status.state
15755 name: State
15756 type: string
15757 - jsonPath: .spec.issuerRef.name
15758 name: Issuer
15759 priority: 1
15760 type: string
15761 - jsonPath: .status.reason
15762 name: Reason
15763 priority: 1
15764 type: string
15765 - jsonPath: .metadata.creationTimestamp
15766 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
15767 name: Age
15768 type: date
15769 schema:
15770 openAPIV3Schema:
15771 description: Order is a type to represent an Order with an ACME server
15772 type: object
15773 required:
15774 - metadata
15775 - spec
15776 properties:
15777 apiVersion:
15778 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
15779 type: string
15780 kind:
15781 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
15782 type: string
15783 metadata:
15784 type: object
15785 spec:
15786 type: object
15787 required:
15788 - issuerRef
15789 - request
15790 properties:
15791 commonName:
15792 description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
15793 type: string
15794 dnsNames:
15795 description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
15796 type: array
15797 items:
15798 type: string
15799 duration:
15800 description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
15801 type: string
15802 ipAddresses:
15803 description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
15804 type: array
15805 items:
15806 type: string
15807 issuerRef:
15808 description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
15809 type: object
15810 required:
15811 - name
15812 properties:
15813 group:
15814 description: Group of the resource being referred to.
15815 type: string
15816 kind:
15817 description: Kind of the resource being referred to.
15818 type: string
15819 name:
15820 description: Name of the resource being referred to.
15821 type: string
15822 request:
15823 description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
15824 type: string
15825 format: byte
15826 status:
15827 type: object
15828 properties:
15829 authorizations:
15830 description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.
15831 type: array
15832 items:
15833 description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
15834 type: object
15835 required:
15836 - url
15837 properties:
15838 challenges:
15839 description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
15840 type: array
15841 items:
15842 description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
15843 type: object
15844 required:
15845 - token
15846 - type
15847 - url
15848 properties:
15849 token:
15850 description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
15851 type: string
15852 type:
15853 description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.
15854 type: string
15855 url:
15856 description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
15857 type: string
15858 identifier:
15859 description: Identifier is the DNS name to be validated as part of this authorization
15860 type: string
15861 initialState:
15862 description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.
15863 type: string
15864 enum:
15865 - valid
15866 - ready
15867 - pending
15868 - processing
15869 - invalid
15870 - expired
15871 - errored
15872 url:
15873 description: URL is the URL of the Authorization that must be completed
15874 type: string
15875 wildcard:
15876 description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
15877 type: boolean
15878 certificate:
15879 description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
15880 type: string
15881 format: byte
15882 failureTime:
15883 description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
15884 type: string
15885 format: date-time
15886 finalizeURL:
15887 description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
15888 type: string
15889 reason:
15890 description: Reason optionally provides more information about a why the order is in the current state.
15891 type: string
15892 state:
15893 description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
15894 type: string
15895 enum:
15896 - valid
15897 - ready
15898 - pending
15899 - processing
15900 - invalid
15901 - expired
15902 - errored
15903 url:
15904 description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
15905 type: string
15906 served: true
15907 storage: false
15908 - name: v1
15909 subresources:
15910 status: {}
15911 additionalPrinterColumns:
15912 - jsonPath: .status.state
15913 name: State
15914 type: string
15915 - jsonPath: .spec.issuerRef.name
15916 name: Issuer
15917 priority: 1
15918 type: string
15919 - jsonPath: .status.reason
15920 name: Reason
15921 priority: 1
15922 type: string
15923 - jsonPath: .metadata.creationTimestamp
15924 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
15925 name: Age
15926 type: date
15927 schema:
15928 openAPIV3Schema:
15929 description: Order is a type to represent an Order with an ACME server
15930 type: object
15931 required:
15932 - metadata
15933 - spec
15934 properties:
15935 apiVersion:
15936 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
15937 type: string
15938 kind:
15939 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
15940 type: string
15941 metadata:
15942 type: object
15943 spec:
15944 type: object
15945 required:
15946 - issuerRef
15947 - request
15948 properties:
15949 commonName:
15950 description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
15951 type: string
15952 dnsNames:
15953 description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
15954 type: array
15955 items:
15956 type: string
15957 duration:
15958 description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
15959 type: string
15960 ipAddresses:
15961 description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
15962 type: array
15963 items:
15964 type: string
15965 issuerRef:
15966 description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
15967 type: object
15968 required:
15969 - name
15970 properties:
15971 group:
15972 description: Group of the resource being referred to.
15973 type: string
15974 kind:
15975 description: Kind of the resource being referred to.
15976 type: string
15977 name:
15978 description: Name of the resource being referred to.
15979 type: string
15980 request:
15981 description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
15982 type: string
15983 format: byte
15984 status:
15985 type: object
15986 properties:
15987 authorizations:
15988 description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.
15989 type: array
15990 items:
15991 description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
15992 type: object
15993 required:
15994 - url
15995 properties:
15996 challenges:
15997 description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
15998 type: array
15999 items:
16000 description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
16001 type: object
16002 required:
16003 - token
16004 - type
16005 - url
16006 properties:
16007 token:
16008 description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
16009 type: string
16010 type:
16011 description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.
16012 type: string
16013 url:
16014 description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
16015 type: string
16016 identifier:
16017 description: Identifier is the DNS name to be validated as part of this authorization
16018 type: string
16019 initialState:
16020 description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.
16021 type: string
16022 enum:
16023 - valid
16024 - ready
16025 - pending
16026 - processing
16027 - invalid
16028 - expired
16029 - errored
16030 url:
16031 description: URL is the URL of the Authorization that must be completed
16032 type: string
16033 wildcard:
16034 description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
16035 type: boolean
16036 certificate:
16037 description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
16038 type: string
16039 format: byte
16040 failureTime:
16041 description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
16042 type: string
16043 format: date-time
16044 finalizeURL:
16045 description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
16046 type: string
16047 reason:
16048 description: Reason optionally provides more information about a why the order is in the current state.
16049 type: string
16050 state:
16051 description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
16052 type: string
16053 enum:
16054 - valid
16055 - ready
16056 - pending
16057 - processing
16058 - invalid
16059 - expired
16060 - errored
16061 url:
16062 description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
16063 type: string
16064 served: true
16065 storage: true