cert-manager.yaml 605 KB


  1. # Copyright 2022 The cert-manager Authors.
  2. #
  3. # Licensed under the Apache License, Version 2.0 (the "License");
  4. # you may not use this file except in compliance with the License.
  5. # You may obtain a copy of the License at
  6. #
  7. # http://www.apache.org/licenses/LICENSE-2.0
  8. #
  9. # Unless required by applicable law or agreed to in writing, software
  10. # distributed under the License is distributed on an "AS IS" BASIS,
  11. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12. # See the License for the specific language governing permissions and
  13. # limitations under the License.
  14. #apiVersion: v1
  15. #kind: Namespace
  16. #metadata:
  17. # name: obs-operator
  18. #---
  19. # Source: cert-manager/templates/crds.yaml
  20. #
  21. # START crd
  22. apiVersion: apiextensions.k8s.io/v1
  23. kind: CustomResourceDefinition
  24. metadata:
  25. name: certificaterequests.cert-manager.io
  26. # START annotations
  27. annotations:
  28. helm.sh/resource-policy: keep
  29. # END annotations
  30. labels:
  31. app: 'cert-manager'
  32. app.kubernetes.io/name: 'cert-manager'
  33. app.kubernetes.io/instance: 'cert-manager'
  34. # Generated labels
  35. app.kubernetes.io/version: "v1.15.2"
  36. spec:
  37. group: cert-manager.io
  38. names:
  39. kind: CertificateRequest
  40. listKind: CertificateRequestList
  41. plural: certificaterequests
  42. shortNames:
  43. - cr
  44. - crs
  45. singular: certificaterequest
  46. categories:
  47. - cert-manager
  48. scope: Namespaced
  49. versions:
  50. - name: v1
  51. subresources:
  52. status: {}
  53. additionalPrinterColumns:
  54. - jsonPath: .status.conditions[?(@.type=="Approved")].status
  55. name: Approved
  56. type: string
  57. - jsonPath: .status.conditions[?(@.type=="Denied")].status
  58. name: Denied
  59. type: string
  60. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  61. name: Ready
  62. type: string
  63. - jsonPath: .spec.issuerRef.name
  64. name: Issuer
  65. type: string
  66. - jsonPath: .spec.username
  67. name: Requestor
  68. type: string
  69. - jsonPath: .status.conditions[?(@.type=="Ready")].message
  70. name: Status
  71. priority: 1
  72. type: string
  73. - jsonPath: .metadata.creationTimestamp
  74. description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
  75. name: Age
  76. type: date
  77. schema:
  78. openAPIV3Schema:
  79. description: |-
  80. A CertificateRequest is used to request a signed certificate from one of the
  81. configured issuers.
  82. All fields within the CertificateRequest's `spec` are immutable after creation.
  83. A CertificateRequest will either succeed or fail, as denoted by its `Ready` status
  84. condition and its `status.failureTime` field.
  85. A CertificateRequest is a one-shot resource, meaning it represents a single
  86. point in time request for a certificate and cannot be re-used.
  87. type: object
  88. properties:
  89. apiVersion:
  90. description: |-
  91. APIVersion defines the versioned schema of this representation of an object.
  92. Servers should convert recognized schemas to the latest internal value, and
  93. may reject unrecognized values.
  94. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  95. type: string
  96. kind:
  97. description: |-
  98. Kind is a string value representing the REST resource this object represents.
  99. Servers may infer this from the endpoint the client submits requests to.
  100. Cannot be updated.
  101. In CamelCase.
  102. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  103. type: string
  104. metadata:
  105. type: object
  106. spec:
  107. description: |-
  108. Specification of the desired state of the CertificateRequest resource.
  109. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
  110. type: object
  111. required:
  112. - issuerRef
  113. - request
  114. properties:
  115. duration:
  116. description: |-
  117. Requested 'duration' (i.e. lifetime) of the Certificate. Note that the
  118. issuer may choose to ignore the requested duration, just like any other
  119. requested attribute.
  120. type: string
  121. extra:
  122. description: |-
  123. Extra contains extra attributes of the user that created the CertificateRequest.
  124. Populated by the cert-manager webhook on creation and immutable.
  125. type: object
  126. additionalProperties:
  127. type: array
  128. items:
  129. type: string
  130. groups:
  131. description: |-
  132. Groups contains group membership of the user that created the CertificateRequest.
  133. Populated by the cert-manager webhook on creation and immutable.
  134. type: array
  135. items:
  136. type: string
  137. x-kubernetes-list-type: atomic
  138. isCA:
  139. description: |-
  140. Requested basic constraints isCA value. Note that the issuer may choose
  141. to ignore the requested isCA value, just like any other requested attribute.
  142. NOTE: If the CSR in the `Request` field has a BasicConstraints extension,
  143. it must have the same isCA value as specified here.
  144. If true, this will automatically add the `cert sign` usage to the list
  145. of requested `usages`.
  146. type: boolean
  147. issuerRef:
  148. description: |-
  149. Reference to the issuer responsible for issuing the certificate.
  150. If the issuer is namespace-scoped, it must be in the same namespace
  151. as the Certificate. If the issuer is cluster-scoped, it can be used
  152. from any namespace.
  153. The `name` field of the reference must always be specified.
  154. type: object
  155. required:
  156. - name
  157. properties:
  158. group:
  159. description: Group of the resource being referred to.
  160. type: string
  161. kind:
  162. description: Kind of the resource being referred to.
  163. type: string
  164. name:
  165. description: Name of the resource being referred to.
  166. type: string
  167. request:
  168. description: |-
  169. The PEM-encoded X.509 certificate signing request to be submitted to the
  170. issuer for signing.
  171. If the CSR has a BasicConstraints extension, its isCA attribute must
  172. match the `isCA` value of this CertificateRequest.
  173. If the CSR has a KeyUsage extension, its key usages must match the
  174. key usages in the `usages` field of this CertificateRequest.
  175. If the CSR has a ExtKeyUsage extension, its extended key usages
  176. must match the extended key usages in the `usages` field of this
  177. CertificateRequest.
  178. type: string
  179. format: byte
  180. uid:
  181. description: |-
  182. UID contains the uid of the user that created the CertificateRequest.
  183. Populated by the cert-manager webhook on creation and immutable.
  184. type: string
  185. usages:
  186. description: |-
  187. Requested key usages and extended key usages.
  188. NOTE: If the CSR in the `Request` field has uses the KeyUsage or
  189. ExtKeyUsage extension, these extensions must have the same values
  190. as specified here without any additional values.
  191. If unset, defaults to `digital signature` and `key encipherment`.
  192. type: array
  193. items:
  194. description: |-
  195. KeyUsage specifies valid usage contexts for keys.
  196. See:
  197. https://tools.ietf.org/html/rfc5280#section-4.2.1.3
  198. https://tools.ietf.org/html/rfc5280#section-4.2.1.12
  199. Valid KeyUsage values are as follows:
  200. "signing",
  201. "digital signature",
  202. "content commitment",
  203. "key encipherment",
  204. "key agreement",
  205. "data encipherment",
  206. "cert sign",
  207. "crl sign",
  208. "encipher only",
  209. "decipher only",
  210. "any",
  211. "server auth",
  212. "client auth",
  213. "code signing",
  214. "email protection",
  215. "s/mime",
  216. "ipsec end system",
  217. "ipsec tunnel",
  218. "ipsec user",
  219. "timestamping",
  220. "ocsp signing",
  221. "microsoft sgc",
  222. "netscape sgc"
  223. type: string
  224. enum:
  225. - signing
  226. - digital signature
  227. - content commitment
  228. - key encipherment
  229. - key agreement
  230. - data encipherment
  231. - cert sign
  232. - crl sign
  233. - encipher only
  234. - decipher only
  235. - any
  236. - server auth
  237. - client auth
  238. - code signing
  239. - email protection
  240. - s/mime
  241. - ipsec end system
  242. - ipsec tunnel
  243. - ipsec user
  244. - timestamping
  245. - ocsp signing
  246. - microsoft sgc
  247. - netscape sgc
  248. username:
  249. description: |-
  250. Username contains the name of the user that created the CertificateRequest.
  251. Populated by the cert-manager webhook on creation and immutable.
  252. type: string
  253. status:
  254. description: |-
  255. Status of the CertificateRequest.
  256. This is set and managed automatically.
  257. Read-only.
  258. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
  259. type: object
  260. properties:
  261. ca:
  262. description: |-
  263. The PEM encoded X.509 certificate of the signer, also known as the CA
  264. (Certificate Authority).
  265. This is set on a best-effort basis by different issuers.
  266. If not set, the CA is assumed to be unknown/not available.
  267. type: string
  268. format: byte
  269. certificate:
  270. description: |-
  271. The PEM encoded X.509 certificate resulting from the certificate
  272. signing request.
  273. If not set, the CertificateRequest has either not been completed or has
  274. failed. More information on failure can be found by checking the
  275. `conditions` field.
  276. type: string
  277. format: byte
  278. conditions:
  279. description: |-
  280. List of status conditions to indicate the status of a CertificateRequest.
  281. Known condition types are `Ready`, `InvalidRequest`, `Approved` and `Denied`.
  282. type: array
  283. items:
  284. description: CertificateRequestCondition contains condition information for a CertificateRequest.
  285. type: object
  286. required:
  287. - status
  288. - type
  289. properties:
  290. lastTransitionTime:
  291. description: |-
  292. LastTransitionTime is the timestamp corresponding to the last status
  293. change of this condition.
  294. type: string
  295. format: date-time
  296. message:
  297. description: |-
  298. Message is a human readable description of the details of the last
  299. transition, complementing reason.
  300. type: string
  301. reason:
  302. description: |-
  303. Reason is a brief machine readable explanation for the condition's last
  304. transition.
  305. type: string
  306. status:
  307. description: Status of the condition, one of (`True`, `False`, `Unknown`).
  308. type: string
  309. enum:
  310. - "True"
  311. - "False"
  312. - Unknown
  313. type:
  314. description: |-
  315. Type of the condition, known values are (`Ready`, `InvalidRequest`,
  316. `Approved`, `Denied`).
  317. type: string
  318. x-kubernetes-list-map-keys:
  319. - type
  320. x-kubernetes-list-type: map
  321. failureTime:
  322. description: |-
  323. FailureTime stores the time that this CertificateRequest failed. This is
  324. used to influence garbage collection and back-off.
  325. type: string
  326. format: date-time
  327. served: true
  328. storage: true
  329. # END crd
  330. ---
  331. # Source: cert-manager/templates/crds.yaml
  332. # START crd
  333. apiVersion: apiextensions.k8s.io/v1
  334. kind: CustomResourceDefinition
  335. metadata:
  336. name: certificates.cert-manager.io
  337. # START annotations
  338. annotations:
  339. helm.sh/resource-policy: keep
  340. # END annotations
  341. labels:
  342. app: 'cert-manager'
  343. app.kubernetes.io/name: 'cert-manager'
  344. app.kubernetes.io/instance: 'cert-manager'
  345. # Generated labels
  346. app.kubernetes.io/version: "v1.15.2"
  347. spec:
  348. group: cert-manager.io
  349. names:
  350. kind: Certificate
  351. listKind: CertificateList
  352. plural: certificates
  353. shortNames:
  354. - cert
  355. - certs
  356. singular: certificate
  357. categories:
  358. - cert-manager
  359. scope: Namespaced
  360. versions:
  361. - name: v1
  362. subresources:
  363. status: {}
  364. additionalPrinterColumns:
  365. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  366. name: Ready
  367. type: string
  368. - jsonPath: .spec.secretName
  369. name: Secret
  370. type: string
  371. - jsonPath: .spec.issuerRef.name
  372. name: Issuer
  373. priority: 1
  374. type: string
  375. - jsonPath: .status.conditions[?(@.type=="Ready")].message
  376. name: Status
  377. priority: 1
  378. type: string
  379. - jsonPath: .metadata.creationTimestamp
  380. description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
  381. name: Age
  382. type: date
  383. schema:
  384. openAPIV3Schema:
  385. description: |-
  386. A Certificate resource should be created to ensure an up to date and signed
  387. X.509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`.
  388. The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`).
  389. type: object
  390. properties:
  391. apiVersion:
  392. description: |-
  393. APIVersion defines the versioned schema of this representation of an object.
  394. Servers should convert recognized schemas to the latest internal value, and
  395. may reject unrecognized values.
  396. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  397. type: string
  398. kind:
  399. description: |-
  400. Kind is a string value representing the REST resource this object represents.
  401. Servers may infer this from the endpoint the client submits requests to.
  402. Cannot be updated.
  403. In CamelCase.
  404. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  405. type: string
  406. metadata:
  407. type: object
  408. spec:
  409. description: |-
  410. Specification of the desired state of the Certificate resource.
  411. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
  412. type: object
  413. required:
  414. - issuerRef
  415. - secretName
  416. properties:
  417. additionalOutputFormats:
  418. description: |-
  419. Defines extra output formats of the private key and signed certificate chain
  420. to be written to this Certificate's target Secret.
  421. This is a Beta Feature enabled by default. It can be disabled with the
  422. `--feature-gates=AdditionalCertificateOutputFormats=false` option set on both
  423. the controller and webhook components.
  424. type: array
  425. items:
  426. description: |-
  427. CertificateAdditionalOutputFormat defines an additional output format of a
  428. Certificate resource. These contain supplementary data formats of the signed
  429. certificate chain and paired private key.
  430. type: object
  431. required:
  432. - type
  433. properties:
  434. type:
  435. description: |-
  436. Type is the name of the format type that should be written to the
  437. Certificate's target Secret.
  438. type: string
  439. enum:
  440. - DER
  441. - CombinedPEM
  442. commonName:
  443. description: |-
  444. Requested common name X509 certificate subject attribute.
  445. More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
  446. NOTE: TLS clients will ignore this value when any subject alternative name is
  447. set (see https://tools.ietf.org/html/rfc6125#section-6.4.4).
  448. Should have a length of 64 characters or fewer to avoid generating invalid CSRs.
  449. Cannot be set if the `literalSubject` field is set.
  450. type: string
  451. dnsNames:
  452. description: Requested DNS subject alternative names.
  453. type: array
  454. items:
  455. type: string
  456. duration:
  457. description: |-
  458. Requested 'duration' (i.e. lifetime) of the Certificate. Note that the
  459. issuer may choose to ignore the requested duration, just like any other
  460. requested attribute.
  461. If unset, this defaults to 90 days.
  462. Minimum accepted duration is 1 hour.
  463. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
  464. type: string
  465. emailAddresses:
  466. description: Requested email subject alternative names.
  467. type: array
  468. items:
  469. type: string
  470. encodeUsagesInRequest:
  471. description: |-
  472. Whether the KeyUsage and ExtKeyUsage extensions should be set in the encoded CSR.
  473. This option defaults to true, and should only be disabled if the target
  474. issuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions.
  475. type: boolean
  476. ipAddresses:
  477. description: Requested IP address subject alternative names.
  478. type: array
  479. items:
  480. type: string
  481. isCA:
  482. description: |-
  483. Requested basic constraints isCA value.
  484. The isCA value is used to set the `isCA` field on the created CertificateRequest
  485. resources. Note that the issuer may choose to ignore the requested isCA value, just
  486. like any other requested attribute.
  487. If true, this will automatically add the `cert sign` usage to the list
  488. of requested `usages`.
  489. type: boolean
  490. issuerRef:
  491. description: |-
  492. Reference to the issuer responsible for issuing the certificate.
  493. If the issuer is namespace-scoped, it must be in the same namespace
  494. as the Certificate. If the issuer is cluster-scoped, it can be used
  495. from any namespace.
  496. The `name` field of the reference must always be specified.
  497. type: object
  498. required:
  499. - name
  500. properties:
  501. group:
  502. description: Group of the resource being referred to.
  503. type: string
  504. kind:
  505. description: Kind of the resource being referred to.
  506. type: string
  507. name:
  508. description: Name of the resource being referred to.
  509. type: string
  510. keystores:
  511. description: Additional keystore output formats to be stored in the Certificate's Secret.
  512. type: object
  513. properties:
  514. jks:
  515. description: |-
  516. JKS configures options for storing a JKS keystore in the
  517. `spec.secretName` Secret resource.
  518. type: object
  519. required:
  520. - create
  521. - passwordSecretRef
  522. properties:
  523. alias:
  524. description: |-
  525. Alias specifies the alias of the key in the keystore, required by the JKS format.
  526. If not provided, the default alias `certificate` will be used.
  527. type: string
  528. create:
  529. description: |-
  530. Create enables JKS keystore creation for the Certificate.
  531. If true, a file named `keystore.jks` will be created in the target
  532. Secret resource, encrypted using the password stored in
  533. `passwordSecretRef`.
  534. The keystore file will be updated immediately.
  535. If the issuer provided a CA certificate, a file named `truststore.jks`
  536. will also be created in the target Secret resource, encrypted using the
  537. password stored in `passwordSecretRef`
  538. containing the issuing Certificate Authority
  539. type: boolean
  540. passwordSecretRef:
  541. description: |-
  542. PasswordSecretRef is a reference to a key in a Secret resource
  543. containing the password used to encrypt the JKS keystore.
  544. type: object
  545. required:
  546. - name
  547. properties:
  548. key:
  549. description: |-
  550. The key of the entry in the Secret resource's `data` field to be used.
  551. Some instances of this field may be defaulted, in others it may be
  552. required.
  553. type: string
  554. name:
  555. description: |-
  556. Name of the resource being referred to.
  557. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  558. type: string
  559. pkcs12:
  560. description: |-
  561. PKCS12 configures options for storing a PKCS12 keystore in the
  562. `spec.secretName` Secret resource.
  563. type: object
  564. required:
  565. - create
  566. - passwordSecretRef
  567. properties:
  568. create:
  569. description: |-
  570. Create enables PKCS12 keystore creation for the Certificate.
  571. If true, a file named `keystore.p12` will be created in the target
  572. Secret resource, encrypted using the password stored in
  573. `passwordSecretRef`.
  574. The keystore file will be updated immediately.
  575. If the issuer provided a CA certificate, a file named `truststore.p12` will
  576. also be created in the target Secret resource, encrypted using the
  577. password stored in `passwordSecretRef` containing the issuing Certificate
  578. Authority
  579. type: boolean
  580. passwordSecretRef:
  581. description: |-
  582. PasswordSecretRef is a reference to a key in a Secret resource
  583. containing the password used to encrypt the PKCS12 keystore.
  584. type: object
  585. required:
  586. - name
  587. properties:
  588. key:
  589. description: |-
  590. The key of the entry in the Secret resource's `data` field to be used.
  591. Some instances of this field may be defaulted, in others it may be
  592. required.
  593. type: string
  594. name:
  595. description: |-
  596. Name of the resource being referred to.
  597. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  598. type: string
  599. profile:
  600. description: |-
  601. Profile specifies the key and certificate encryption algorithms and the HMAC algorithm
  602. used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility.
  603. If provided, allowed values are:
  604. `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20.
  605. `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility.
  606. `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms
  607. (eg. because of company policy). Please note that the security of the algorithm is not that important
  608. in reality, because the unencrypted certificate and private key are also stored in the Secret.
  609. type: string
  610. enum:
  611. - LegacyRC2
  612. - LegacyDES
  613. - Modern2023
  614. literalSubject:
  615. description: |-
  616. Requested X.509 certificate subject, represented using the LDAP "String
  617. Representation of a Distinguished Name" [1].
  618. Important: the LDAP string format also specifies the order of the attributes
  619. in the subject, this is important when issuing certs for LDAP authentication.
  620. Example: `CN=foo,DC=corp,DC=example,DC=com`
  621. More info [1]: https://datatracker.ietf.org/doc/html/rfc4514
  622. More info: https://github.com/cert-manager/cert-manager/issues/3203
  623. More info: https://github.com/cert-manager/cert-manager/issues/4424
  624. Cannot be set if the `subject` or `commonName` field is set.
  625. type: string
  626. nameConstraints:
  627. description: |-
  628. x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate.
  629. More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10
  630. This is an Alpha Feature and is only enabled with the
  631. `--feature-gates=NameConstraints=true` option set on both
  632. the controller and webhook components.
  633. type: object
  634. properties:
  635. critical:
  636. description: if true then the name constraints are marked critical.
  637. type: boolean
  638. excluded:
  639. description: |-
  640. Excluded contains the constraints which must be disallowed. Any name matching a
  641. restriction in the excluded field is invalid regardless
  642. of information appearing in the permitted
  643. type: object
  644. properties:
  645. dnsDomains:
  646. description: DNSDomains is a list of DNS domains that are permitted or excluded.
  647. type: array
  648. items:
  649. type: string
  650. emailAddresses:
  651. description: EmailAddresses is a list of Email Addresses that are permitted or excluded.
  652. type: array
  653. items:
  654. type: string
  655. ipRanges:
  656. description: |-
  657. IPRanges is a list of IP Ranges that are permitted or excluded.
  658. This should be a valid CIDR notation.
  659. type: array
  660. items:
  661. type: string
  662. uriDomains:
  663. description: URIDomains is a list of URI domains that are permitted or excluded.
  664. type: array
  665. items:
  666. type: string
  667. permitted:
  668. description: Permitted contains the constraints in which the names must be located.
  669. type: object
  670. properties:
  671. dnsDomains:
  672. description: DNSDomains is a list of DNS domains that are permitted or excluded.
  673. type: array
  674. items:
  675. type: string
  676. emailAddresses:
  677. description: EmailAddresses is a list of Email Addresses that are permitted or excluded.
  678. type: array
  679. items:
  680. type: string
  681. ipRanges:
  682. description: |-
  683. IPRanges is a list of IP Ranges that are permitted or excluded.
  684. This should be a valid CIDR notation.
  685. type: array
  686. items:
  687. type: string
  688. uriDomains:
  689. description: URIDomains is a list of URI domains that are permitted or excluded.
  690. type: array
  691. items:
  692. type: string
  693. otherNames:
  694. description: |-
  695. `otherNames` is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37
  696. Any UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for `otherName`.
  697. Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3
  698. You should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this.
  699. type: array
  700. items:
  701. type: object
  702. properties:
  703. oid:
  704. description: |-
  705. OID is the object identifier for the otherName SAN.
  706. The object identifier must be expressed as a dotted string, for
  707. example, "1.2.840.113556.1.4.221".
  708. type: string
  709. utf8Value:
  710. description: |-
  711. utf8Value is the string value of the otherName SAN.
  712. The utf8Value accepts any valid UTF8 string to set as value for the otherName SAN.
  713. type: string
  714. privateKey:
  715. description: |-
  716. Private key options. These include the key algorithm and size, the used
  717. encoding and the rotation policy.
  718. type: object
  719. properties:
  720. algorithm:
  721. description: |-
  722. Algorithm is the private key algorithm of the corresponding private key
  723. for this certificate.
  724. If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`.
  725. If `algorithm` is specified and `size` is not provided,
  726. key size of 2048 will be used for `RSA` key algorithm and
  727. key size of 256 will be used for `ECDSA` key algorithm.
  728. key size is ignored when using the `Ed25519` key algorithm.
  729. type: string
  730. enum:
  731. - RSA
  732. - ECDSA
  733. - Ed25519
  734. encoding:
  735. description: |-
  736. The private key cryptography standards (PKCS) encoding for this
  737. certificate's private key to be encoded in.
  738. If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1
  739. and PKCS#8, respectively.
  740. Defaults to `PKCS1` if not specified.
  741. type: string
  742. enum:
  743. - PKCS1
  744. - PKCS8
  745. rotationPolicy:
  746. description: |-
  747. RotationPolicy controls how private keys should be regenerated when a
  748. re-issuance is being processed.
  749. If set to `Never`, a private key will only be generated if one does not
  750. already exist in the target `spec.secretName`. If one does exists but it
  751. does not have the correct algorithm or size, a warning will be raised
  752. to await user intervention.
  753. If set to `Always`, a private key matching the specified requirements
  754. will be generated whenever a re-issuance occurs.
  755. Default is `Never` for backward compatibility.
  756. type: string
  757. enum:
  758. - Never
  759. - Always
  760. size:
  761. description: |-
  762. Size is the key bit size of the corresponding private key for this certificate.
  763. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`,
  764. and will default to `2048` if not specified.
  765. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`,
  766. and will default to `256` if not specified.
  767. If `algorithm` is set to `Ed25519`, Size is ignored.
  768. No other values are allowed.
  769. type: integer
  770. renewBefore:
  771. description: |-
  772. How long before the currently issued certificate's expiry cert-manager should
  773. renew the certificate. For example, if a certificate is valid for 60 minutes,
  774. and `renewBefore=10m`, cert-manager will begin to attempt to renew the certificate
  775. 50 minutes after it was issued (i.e. when there are 10 minutes remaining until
  776. the certificate is no longer valid).
  777. NOTE: The actual lifetime of the issued certificate is used to determine the
  778. renewal time. If an issuer returns a certificate with a different lifetime than
  779. the one requested, cert-manager will use the lifetime of the issued certificate.
  780. If unset, this defaults to 1/3 of the issued certificate's lifetime.
  781. Minimum accepted value is 5 minutes.
  782. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
  783. type: string
  784. revisionHistoryLimit:
  785. description: |-
  786. The maximum number of CertificateRequest revisions that are maintained in
  787. the Certificate's history. Each revision represents a single `CertificateRequest`
  788. created by this Certificate, either when it was created, renewed, or Spec
  789. was changed. Revisions will be removed by oldest first if the number of
  790. revisions exceeds this number.
  791. If set, revisionHistoryLimit must be a value of `1` or greater.
  792. If unset (`nil`), revisions will not be garbage collected.
  793. Default value is `nil`.
  794. type: integer
  795. format: int32
  796. secretName:
  797. description: |-
  798. Name of the Secret resource that will be automatically created and
  799. managed by this Certificate resource. It will be populated with a
  800. private key and certificate, signed by the denoted issuer. The Secret
  801. resource lives in the same namespace as the Certificate resource.
  802. type: string
  803. secretTemplate:
  804. description: |-
  805. Defines annotations and labels to be copied to the Certificate's Secret.
  806. Labels and annotations on the Secret will be changed as they appear on the
  807. SecretTemplate when added or removed. SecretTemplate annotations are added
  808. in conjunction with, and cannot overwrite, the base set of annotations
  809. cert-manager sets on the Certificate's Secret.
  810. type: object
  811. properties:
  812. annotations:
  813. description: Annotations is a key value map to be copied to the target Kubernetes Secret.
  814. type: object
  815. additionalProperties:
  816. type: string
  817. labels:
  818. description: Labels is a key value map to be copied to the target Kubernetes Secret.
  819. type: object
  820. additionalProperties:
  821. type: string
  822. subject:
  823. description: |-
  824. Requested set of X509 certificate subject attributes.
  825. More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
  826. The common name attribute is specified separately in the `commonName` field.
  827. Cannot be set if the `literalSubject` field is set.
  828. type: object
  829. properties:
  830. countries:
  831. description: Countries to be used on the Certificate.
  832. type: array
  833. items:
  834. type: string
  835. localities:
  836. description: Cities to be used on the Certificate.
  837. type: array
  838. items:
  839. type: string
  840. organizationalUnits:
  841. description: Organizational Units to be used on the Certificate.
  842. type: array
  843. items:
  844. type: string
  845. organizations:
  846. description: Organizations to be used on the Certificate.
  847. type: array
  848. items:
  849. type: string
  850. postalCodes:
  851. description: Postal codes to be used on the Certificate.
  852. type: array
  853. items:
  854. type: string
  855. provinces:
  856. description: State/Provinces to be used on the Certificate.
  857. type: array
  858. items:
  859. type: string
  860. serialNumber:
  861. description: Serial number to be used on the Certificate.
  862. type: string
  863. streetAddresses:
  864. description: Street addresses to be used on the Certificate.
  865. type: array
  866. items:
  867. type: string
  868. uris:
  869. description: Requested URI subject alternative names.
  870. type: array
  871. items:
  872. type: string
  873. usages:
  874. description: |-
  875. Requested key usages and extended key usages.
  876. These usages are used to set the `usages` field on the created CertificateRequest
  877. resources. If `encodeUsagesInRequest` is unset or set to `true`, the usages
  878. will additionally be encoded in the `request` field which contains the CSR blob.
  879. If unset, defaults to `digital signature` and `key encipherment`.
  880. type: array
  881. items:
  882. description: |-
  883. KeyUsage specifies valid usage contexts for keys.
  884. See:
  885. https://tools.ietf.org/html/rfc5280#section-4.2.1.3
  886. https://tools.ietf.org/html/rfc5280#section-4.2.1.12
  887. Valid KeyUsage values are as follows:
  888. "signing",
  889. "digital signature",
  890. "content commitment",
  891. "key encipherment",
  892. "key agreement",
  893. "data encipherment",
  894. "cert sign",
  895. "crl sign",
  896. "encipher only",
  897. "decipher only",
  898. "any",
  899. "server auth",
  900. "client auth",
  901. "code signing",
  902. "email protection",
  903. "s/mime",
  904. "ipsec end system",
  905. "ipsec tunnel",
  906. "ipsec user",
  907. "timestamping",
  908. "ocsp signing",
  909. "microsoft sgc",
  910. "netscape sgc"
  911. type: string
  912. enum:
  913. - signing
  914. - digital signature
  915. - content commitment
  916. - key encipherment
  917. - key agreement
  918. - data encipherment
  919. - cert sign
  920. - crl sign
  921. - encipher only
  922. - decipher only
  923. - any
  924. - server auth
  925. - client auth
  926. - code signing
  927. - email protection
  928. - s/mime
  929. - ipsec end system
  930. - ipsec tunnel
  931. - ipsec user
  932. - timestamping
  933. - ocsp signing
  934. - microsoft sgc
  935. - netscape sgc
  936. status:
  937. description: |-
  938. Status of the Certificate.
  939. This is set and managed automatically.
  940. Read-only.
  941. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
  942. type: object
  943. properties:
  944. conditions:
  945. description: |-
  946. List of status conditions to indicate the status of certificates.
  947. Known condition types are `Ready` and `Issuing`.
  948. type: array
  949. items:
  950. description: CertificateCondition contains condition information for an Certificate.
  951. type: object
  952. required:
  953. - status
  954. - type
  955. properties:
  956. lastTransitionTime:
  957. description: |-
  958. LastTransitionTime is the timestamp corresponding to the last status
  959. change of this condition.
  960. type: string
  961. format: date-time
  962. message:
  963. description: |-
  964. Message is a human readable description of the details of the last
  965. transition, complementing reason.
  966. type: string
  967. observedGeneration:
  968. description: |-
  969. If set, this represents the .metadata.generation that the condition was
  970. set based upon.
  971. For instance, if .metadata.generation is currently 12, but the
  972. .status.condition[x].observedGeneration is 9, the condition is out of date
  973. with respect to the current state of the Certificate.
  974. type: integer
  975. format: int64
  976. reason:
  977. description: |-
  978. Reason is a brief machine readable explanation for the condition's last
  979. transition.
  980. type: string
  981. status:
  982. description: Status of the condition, one of (`True`, `False`, `Unknown`).
  983. type: string
  984. enum:
  985. - "True"
  986. - "False"
  987. - Unknown
  988. type:
  989. description: Type of the condition, known values are (`Ready`, `Issuing`).
  990. type: string
  991. x-kubernetes-list-map-keys:
  992. - type
  993. x-kubernetes-list-type: map
  994. failedIssuanceAttempts:
  995. description: |-
  996. The number of continuous failed issuance attempts up till now. This
  997. field gets removed (if set) on a successful issuance and gets set to
  998. 1 if unset and an issuance has failed. If an issuance has failed, the
  999. delay till the next issuance will be calculated using formula
  1000. time.Hour * 2 ^ (failedIssuanceAttempts - 1).
  1001. type: integer
  1002. lastFailureTime:
  1003. description: |-
  1004. LastFailureTime is set only if the lastest issuance for this
  1005. Certificate failed and contains the time of the failure. If an
  1006. issuance has failed, the delay till the next issuance will be
  1007. calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts -
  1008. 1). If the latest issuance has succeeded this field will be unset.
  1009. type: string
  1010. format: date-time
  1011. nextPrivateKeySecretName:
  1012. description: |-
  1013. The name of the Secret resource containing the private key to be used
  1014. for the next certificate iteration.
  1015. The keymanager controller will automatically set this field if the
  1016. `Issuing` condition is set to `True`.
  1017. It will automatically unset this field when the Issuing condition is
  1018. not set or False.
  1019. type: string
  1020. notAfter:
  1021. description: |-
  1022. The expiration time of the certificate stored in the secret named
  1023. by this resource in `spec.secretName`.
  1024. type: string
  1025. format: date-time
  1026. notBefore:
  1027. description: |-
  1028. The time after which the certificate stored in the secret named
  1029. by this resource in `spec.secretName` is valid.
  1030. type: string
  1031. format: date-time
  1032. renewalTime:
  1033. description: |-
  1034. RenewalTime is the time at which the certificate will be next
  1035. renewed.
  1036. If not set, no upcoming renewal is scheduled.
  1037. type: string
  1038. format: date-time
  1039. revision:
  1040. description: |-
  1041. The current 'revision' of the certificate as issued.
  1042. When a CertificateRequest resource is created, it will have the
  1043. `cert-manager.io/certificate-revision` set to one greater than the
  1044. current value of this field.
  1045. Upon issuance, this field will be set to the value of the annotation
  1046. on the CertificateRequest resource used to issue the certificate.
  1047. Persisting the value on the CertificateRequest resource allows the
  1048. certificates controller to know whether a request is part of an old
  1049. issuance or if it is part of the ongoing revision's issuance by
  1050. checking if the revision value in the annotation is greater than this
  1051. field.
  1052. type: integer
  1053. served: true
  1054. storage: true
  1055. # END crd
  1056. ---
  1057. # Source: cert-manager/templates/crds.yaml
  1058. # START crd
  1059. apiVersion: apiextensions.k8s.io/v1
  1060. kind: CustomResourceDefinition
  1061. metadata:
  1062. name: challenges.acme.cert-manager.io
  1063. # START annotations
  1064. annotations:
  1065. helm.sh/resource-policy: keep
  1066. # END annotations
  1067. labels:
  1068. app: 'cert-manager'
  1069. app.kubernetes.io/name: 'cert-manager'
  1070. app.kubernetes.io/instance: 'cert-manager'
  1071. # Generated labels
  1072. app.kubernetes.io/version: "v1.15.2"
  1073. spec:
  1074. group: acme.cert-manager.io
  1075. names:
  1076. kind: Challenge
  1077. listKind: ChallengeList
  1078. plural: challenges
  1079. singular: challenge
  1080. categories:
  1081. - cert-manager
  1082. - cert-manager-acme
  1083. scope: Namespaced
  1084. versions:
  1085. - additionalPrinterColumns:
  1086. - jsonPath: .status.state
  1087. name: State
  1088. type: string
  1089. - jsonPath: .spec.dnsName
  1090. name: Domain
  1091. type: string
  1092. - jsonPath: .status.reason
  1093. name: Reason
  1094. priority: 1
  1095. type: string
  1096. - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
  1097. jsonPath: .metadata.creationTimestamp
  1098. name: Age
  1099. type: date
  1100. name: v1
  1101. schema:
  1102. openAPIV3Schema:
  1103. description: Challenge is a type to represent a Challenge request with an ACME server
  1104. type: object
  1105. required:
  1106. - metadata
  1107. - spec
  1108. properties:
  1109. apiVersion:
  1110. description: |-
  1111. APIVersion defines the versioned schema of this representation of an object.
  1112. Servers should convert recognized schemas to the latest internal value, and
  1113. may reject unrecognized values.
  1114. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  1115. type: string
  1116. kind:
  1117. description: |-
  1118. Kind is a string value representing the REST resource this object represents.
  1119. Servers may infer this from the endpoint the client submits requests to.
  1120. Cannot be updated.
  1121. In CamelCase.
  1122. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  1123. type: string
  1124. metadata:
  1125. type: object
  1126. spec:
  1127. type: object
  1128. required:
  1129. - authorizationURL
  1130. - dnsName
  1131. - issuerRef
  1132. - key
  1133. - solver
  1134. - token
  1135. - type
  1136. - url
  1137. properties:
  1138. authorizationURL:
  1139. description: |-
  1140. The URL to the ACME Authorization resource that this
  1141. challenge is a part of.
  1142. type: string
  1143. dnsName:
  1144. description: |-
  1145. dnsName is the identifier that this challenge is for, e.g. example.com.
  1146. If the requested DNSName is a 'wildcard', this field MUST be set to the
  1147. non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
  1148. type: string
  1149. issuerRef:
  1150. description: |-
  1151. References a properly configured ACME-type Issuer which should
  1152. be used to create this Challenge.
  1153. If the Issuer does not exist, processing will be retried.
  1154. If the Issuer is not an 'ACME' Issuer, an error will be returned and the
  1155. Challenge will be marked as failed.
  1156. type: object
  1157. required:
  1158. - name
  1159. properties:
  1160. group:
  1161. description: Group of the resource being referred to.
  1162. type: string
  1163. kind:
  1164. description: Kind of the resource being referred to.
  1165. type: string
  1166. name:
  1167. description: Name of the resource being referred to.
  1168. type: string
  1169. key:
  1170. description: |-
  1171. The ACME challenge key for this challenge
  1172. For HTTP01 challenges, this is the value that must be responded with to
  1173. complete the HTTP01 challenge in the format:
  1174. `<private key JWK thumbprint>.<key from acme server for challenge>`.
  1175. For DNS01 challenges, this is the base64 encoded SHA256 sum of the
  1176. `<private key JWK thumbprint>.<key from acme server for challenge>`
  1177. text that must be set as the TXT record content.
  1178. type: string
  1179. solver:
  1180. description: |-
  1181. Contains the domain solving configuration that should be used to
  1182. solve this challenge resource.
  1183. type: object
  1184. properties:
  1185. dns01:
  1186. description: |-
  1187. Configures cert-manager to attempt to complete authorizations by
  1188. performing the DNS01 challenge flow.
  1189. type: object
  1190. properties:
  1191. acmeDNS:
  1192. description: |-
  1193. Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
  1194. DNS01 challenge records.
  1195. type: object
  1196. required:
  1197. - accountSecretRef
  1198. - host
  1199. properties:
  1200. accountSecretRef:
  1201. description: |-
  1202. A reference to a specific 'key' within a Secret resource.
  1203. In some instances, `key` is a required field.
  1204. type: object
  1205. required:
  1206. - name
  1207. properties:
  1208. key:
  1209. description: |-
  1210. The key of the entry in the Secret resource's `data` field to be used.
  1211. Some instances of this field may be defaulted, in others it may be
  1212. required.
  1213. type: string
  1214. name:
  1215. description: |-
  1216. Name of the resource being referred to.
  1217. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  1218. type: string
  1219. host:
  1220. type: string
  1221. akamai:
  1222. description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
  1223. type: object
  1224. required:
  1225. - accessTokenSecretRef
  1226. - clientSecretSecretRef
  1227. - clientTokenSecretRef
  1228. - serviceConsumerDomain
  1229. properties:
  1230. accessTokenSecretRef:
  1231. description: |-
  1232. A reference to a specific 'key' within a Secret resource.
  1233. In some instances, `key` is a required field.
  1234. type: object
  1235. required:
  1236. - name
  1237. properties:
  1238. key:
  1239. description: |-
  1240. The key of the entry in the Secret resource's `data` field to be used.
  1241. Some instances of this field may be defaulted, in others it may be
  1242. required.
  1243. type: string
  1244. name:
  1245. description: |-
  1246. Name of the resource being referred to.
  1247. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  1248. type: string
  1249. clientSecretSecretRef:
  1250. description: |-
  1251. A reference to a specific 'key' within a Secret resource.
  1252. In some instances, `key` is a required field.
  1253. type: object
  1254. required:
  1255. - name
  1256. properties:
  1257. key:
  1258. description: |-
  1259. The key of the entry in the Secret resource's `data` field to be used.
  1260. Some instances of this field may be defaulted, in others it may be
  1261. required.
  1262. type: string
  1263. name:
  1264. description: |-
  1265. Name of the resource being referred to.
  1266. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  1267. type: string
  1268. clientTokenSecretRef:
  1269. description: |-
  1270. A reference to a specific 'key' within a Secret resource.
  1271. In some instances, `key` is a required field.
  1272. type: object
  1273. required:
  1274. - name
  1275. properties:
  1276. key:
  1277. description: |-
  1278. The key of the entry in the Secret resource's `data` field to be used.
  1279. Some instances of this field may be defaulted, in others it may be
  1280. required.
  1281. type: string
  1282. name:
  1283. description: |-
  1284. Name of the resource being referred to.
  1285. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  1286. type: string
  1287. serviceConsumerDomain:
  1288. type: string
  1289. azureDNS:
  1290. description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
  1291. type: object
  1292. required:
  1293. - resourceGroupName
  1294. - subscriptionID
  1295. properties:
  1296. clientID:
  1297. description: |-
  1298. Auth: Azure Service Principal:
  1299. The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
  1300. If set, ClientSecret and TenantID must also be set.
  1301. type: string
  1302. clientSecretSecretRef:
  1303. description: |-
  1304. Auth: Azure Service Principal:
  1305. A reference to a Secret containing the password associated with the Service Principal.
  1306. If set, ClientID and TenantID must also be set.
  1307. type: object
  1308. required:
  1309. - name
  1310. properties:
  1311. key:
  1312. description: |-
  1313. The key of the entry in the Secret resource's `data` field to be used.
  1314. Some instances of this field may be defaulted, in others it may be
  1315. required.
  1316. type: string
  1317. name:
  1318. description: |-
  1319. Name of the resource being referred to.
  1320. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  1321. type: string
  1322. environment:
  1323. description: name of the Azure environment (default AzurePublicCloud)
  1324. type: string
  1325. enum:
  1326. - AzurePublicCloud
  1327. - AzureChinaCloud
  1328. - AzureGermanCloud
  1329. - AzureUSGovernmentCloud
  1330. hostedZoneName:
  1331. description: name of the DNS zone that should be used
  1332. type: string
  1333. managedIdentity:
  1334. description: |-
  1335. Auth: Azure Workload Identity or Azure Managed Service Identity:
  1336. Settings to enable Azure Workload Identity or Azure Managed Service Identity
  1337. If set, ClientID, ClientSecret and TenantID must not be set.
  1338. type: object
  1339. properties:
  1340. clientID:
  1341. description: client ID of the managed identity, can not be used at the same time as resourceID
  1342. type: string
  1343. resourceID:
  1344. description: |-
  1345. resource ID of the managed identity, can not be used at the same time as clientID
  1346. Cannot be used for Azure Managed Service Identity
  1347. type: string
  1348. resourceGroupName:
  1349. description: resource group the DNS zone is located in
  1350. type: string
  1351. subscriptionID:
  1352. description: ID of the Azure subscription
  1353. type: string
  1354. tenantID:
  1355. description: |-
  1356. Auth: Azure Service Principal:
  1357. The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
  1358. If set, ClientID and ClientSecret must also be set.
  1359. type: string
  1360. cloudDNS:
  1361. description: Use the Google Cloud DNS API to manage DNS01 challenge records.
  1362. type: object
  1363. required:
  1364. - project
  1365. properties:
  1366. hostedZoneName:
  1367. description: |-
  1368. HostedZoneName is an optional field that tells cert-manager in which
  1369. Cloud DNS zone the challenge record has to be created.
  1370. If left empty cert-manager will automatically choose a zone.
  1371. type: string
  1372. project:
  1373. type: string
  1374. serviceAccountSecretRef:
  1375. description: |-
  1376. A reference to a specific 'key' within a Secret resource.
  1377. In some instances, `key` is a required field.
  1378. type: object
  1379. required:
  1380. - name
  1381. properties:
  1382. key:
  1383. description: |-
  1384. The key of the entry in the Secret resource's `data` field to be used.
  1385. Some instances of this field may be defaulted, in others it may be
  1386. required.
  1387. type: string
  1388. name:
  1389. description: |-
  1390. Name of the resource being referred to.
  1391. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  1392. type: string
  1393. cloudflare:
  1394. description: Use the Cloudflare API to manage DNS01 challenge records.
  1395. type: object
  1396. properties:
  1397. apiKeySecretRef:
  1398. description: |-
  1399. API key to use to authenticate with Cloudflare.
  1400. Note: using an API token to authenticate is now the recommended method
  1401. as it allows greater control of permissions.
  1402. type: object
  1403. required:
  1404. - name
  1405. properties:
  1406. key:
  1407. description: |-
  1408. The key of the entry in the Secret resource's `data` field to be used.
  1409. Some instances of this field may be defaulted, in others it may be
  1410. required.
  1411. type: string
  1412. name:
  1413. description: |-
  1414. Name of the resource being referred to.
  1415. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  1416. type: string
  1417. apiTokenSecretRef:
  1418. description: API token used to authenticate with Cloudflare.
  1419. type: object
  1420. required:
  1421. - name
  1422. properties:
  1423. key:
  1424. description: |-
  1425. The key of the entry in the Secret resource's `data` field to be used.
  1426. Some instances of this field may be defaulted, in others it may be
  1427. required.
  1428. type: string
  1429. name:
  1430. description: |-
  1431. Name of the resource being referred to.
  1432. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  1433. type: string
  1434. email:
  1435. description: Email of the account, only required when using API key based authentication.
  1436. type: string
  1437. cnameStrategy:
  1438. description: |-
  1439. CNAMEStrategy configures how the DNS01 provider should handle CNAME
  1440. records when found in DNS zones.
  1441. type: string
  1442. enum:
  1443. - None
  1444. - Follow
  1445. digitalocean:
  1446. description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
  1447. type: object
  1448. required:
  1449. - tokenSecretRef
  1450. properties:
  1451. tokenSecretRef:
  1452. description: |-
  1453. A reference to a specific 'key' within a Secret resource.
  1454. In some instances, `key` is a required field.
  1455. type: object
  1456. required:
  1457. - name
  1458. properties:
  1459. key:
  1460. description: |-
  1461. The key of the entry in the Secret resource's `data` field to be used.
  1462. Some instances of this field may be defaulted, in others it may be
  1463. required.
  1464. type: string
  1465. name:
  1466. description: |-
  1467. Name of the resource being referred to.
  1468. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  1469. type: string
  1470. rfc2136:
  1471. description: |-
  1472. Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
  1473. to manage DNS01 challenge records.
  1474. type: object
  1475. required:
  1476. - nameserver
  1477. properties:
  1478. nameserver:
  1479. description: |-
  1480. The IP address or hostname of an authoritative DNS server supporting
  1481. RFC2136 in the form host:port. If the host is an IPv6 address it must be
  1482. enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
  1483. This field is required.
  1484. type: string
  1485. tsigAlgorithm:
  1486. description: |-
  1487. The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
  1488. when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
  1489. Supported values are (case-insensitive): ``HMACMD5`` (default),
  1490. ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
  1491. type: string
  1492. tsigKeyName:
  1493. description: |-
  1494. The TSIG Key name configured in the DNS.
  1495. If ``tsigSecretSecretRef`` is defined, this field is required.
  1496. type: string
  1497. tsigSecretSecretRef:
  1498. description: |-
  1499. The name of the secret containing the TSIG value.
  1500. If ``tsigKeyName`` is defined, this field is required.
  1501. type: object
  1502. required:
  1503. - name
  1504. properties:
  1505. key:
  1506. description: |-
  1507. The key of the entry in the Secret resource's `data` field to be used.
  1508. Some instances of this field may be defaulted, in others it may be
  1509. required.
  1510. type: string
  1511. name:
  1512. description: |-
  1513. Name of the resource being referred to.
  1514. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  1515. type: string
  1516. route53:
  1517. description: Use the AWS Route53 API to manage DNS01 challenge records.
  1518. type: object
  1519. required:
  1520. - region
  1521. properties:
  1522. accessKeyID:
  1523. description: |-
  1524. The AccessKeyID is used for authentication.
  1525. Cannot be set when SecretAccessKeyID is set.
  1526. If neither the Access Key nor Key ID are set, we fall-back to using env
  1527. vars, shared credentials file or AWS Instance metadata,
  1528. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  1529. type: string
  1530. accessKeyIDSecretRef:
  1531. description: |-
  1532. The SecretAccessKey is used for authentication. If set, pull the AWS
  1533. access key ID from a key within a Kubernetes Secret.
  1534. Cannot be set when AccessKeyID is set.
  1535. If neither the Access Key nor Key ID are set, we fall-back to using env
  1536. vars, shared credentials file or AWS Instance metadata,
  1537. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  1538. type: object
  1539. required:
  1540. - name
  1541. properties:
  1542. key:
  1543. description: |-
  1544. The key of the entry in the Secret resource's `data` field to be used.
  1545. Some instances of this field may be defaulted, in others it may be
  1546. required.
  1547. type: string
  1548. name:
  1549. description: |-
  1550. Name of the resource being referred to.
  1551. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  1552. type: string
  1553. auth:
  1554. description: Auth configures how cert-manager authenticates.
  1555. type: object
  1556. required:
  1557. - kubernetes
  1558. properties:
  1559. kubernetes:
  1560. description: |-
  1561. Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
  1562. by passing a bound ServiceAccount token.
  1563. type: object
  1564. required:
  1565. - serviceAccountRef
  1566. properties:
  1567. serviceAccountRef:
  1568. description: |-
  1569. A reference to a service account that will be used to request a bound
  1570. token (also known as "projected token"). To use this field, you must
  1571. configure an RBAC rule to let cert-manager request a token.
  1572. type: object
  1573. required:
  1574. - name
  1575. properties:
  1576. audiences:
  1577. description: |-
  1578. TokenAudiences is an optional list of audiences to include in the
  1579. token passed to AWS. The default token consisting of the issuer's namespace
  1580. and name is always included.
  1581. If unset the audience defaults to `sts.amazonaws.com`.
  1582. type: array
  1583. items:
  1584. type: string
  1585. name:
  1586. description: Name of the ServiceAccount used to request a token.
  1587. type: string
  1588. hostedZoneID:
  1589. description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
  1590. type: string
  1591. region:
  1592. description: Always set the region when using AccessKeyID and SecretAccessKey
  1593. type: string
  1594. role:
  1595. description: |-
  1596. Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
  1597. or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
  1598. type: string
  1599. secretAccessKeySecretRef:
  1600. description: |-
  1601. The SecretAccessKey is used for authentication.
  1602. If neither the Access Key nor Key ID are set, we fall-back to using env
  1603. vars, shared credentials file or AWS Instance metadata,
  1604. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  1605. type: object
  1606. required:
  1607. - name
  1608. properties:
  1609. key:
  1610. description: |-
  1611. The key of the entry in the Secret resource's `data` field to be used.
  1612. Some instances of this field may be defaulted, in others it may be
  1613. required.
  1614. type: string
  1615. name:
  1616. description: |-
  1617. Name of the resource being referred to.
  1618. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  1619. type: string
  1620. webhook:
  1621. description: |-
  1622. Configure an external webhook based DNS01 challenge solver to manage
  1623. DNS01 challenge records.
  1624. type: object
  1625. required:
  1626. - groupName
  1627. - solverName
  1628. properties:
  1629. config:
  1630. description: |-
  1631. Additional configuration that should be passed to the webhook apiserver
  1632. when challenges are processed.
  1633. This can contain arbitrary JSON data.
  1634. Secret values should not be specified in this stanza.
  1635. If secret values are needed (e.g. credentials for a DNS service), you
  1636. should use a SecretKeySelector to reference a Secret resource.
  1637. For details on the schema of this field, consult the webhook provider
  1638. implementation's documentation.
  1639. x-kubernetes-preserve-unknown-fields: true
  1640. groupName:
  1641. description: |-
  1642. The API group name that should be used when POSTing ChallengePayload
  1643. resources to the webhook apiserver.
  1644. This should be the same as the GroupName specified in the webhook
  1645. provider implementation.
  1646. type: string
  1647. solverName:
  1648. description: |-
  1649. The name of the solver to use, as defined in the webhook provider
  1650. implementation.
  1651. This will typically be the name of the provider, e.g. 'cloudflare'.
  1652. type: string
  1653. http01:
  1654. description: |-
  1655. Configures cert-manager to attempt to complete authorizations by
  1656. performing the HTTP01 challenge flow.
  1657. It is not possible to obtain certificates for wildcard domain names
  1658. (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
  1659. type: object
  1660. properties:
  1661. gatewayHTTPRoute:
  1662. description: |-
  1663. The Gateway API is a sig-network community API that models service networking
  1664. in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
  1665. create HTTPRoutes with the specified labels in the same namespace as the challenge.
  1666. This solver is experimental, and fields / behaviour may change in the future.
  1667. type: object
  1668. properties:
  1669. labels:
  1670. description: |-
  1671. Custom labels that will be applied to HTTPRoutes created by cert-manager
  1672. while solving HTTP-01 challenges.
  1673. type: object
  1674. additionalProperties:
  1675. type: string
  1676. parentRefs:
  1677. description: |-
  1678. When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
  1679. cert-manager needs to know which parentRefs should be used when creating
  1680. the HTTPRoute. Usually, the parentRef references a Gateway. See:
  1681. https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
  1682. type: array
  1683. items:
  1684. description: |-
  1685. ParentReference identifies an API object (usually a Gateway) that can be considered
  1686. a parent of this resource (usually a route). There are two kinds of parent resources
  1687. with "Core" support:
  1688. * Gateway (Gateway conformance profile)
  1689. * Service (Mesh conformance profile, ClusterIP Services only)
  1690. This API may be extended in the future to support additional kinds of parent
  1691. resources.
  1692. The API object must be valid in the cluster; the Group and Kind must
  1693. be registered in the cluster for this reference to be valid.
  1694. type: object
  1695. required:
  1696. - name
  1697. properties:
  1698. group:
  1699. description: |-
  1700. Group is the group of the referent.
  1701. When unspecified, "gateway.networking.k8s.io" is inferred.
  1702. To set the core API group (such as for a "Service" kind referent),
  1703. Group must be explicitly set to "" (empty string).
  1704. Support: Core
  1705. type: string
  1706. default: gateway.networking.k8s.io
  1707. maxLength: 253
  1708. pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1709. kind:
  1710. description: |-
  1711. Kind is kind of the referent.
  1712. There are two kinds of parent resources with "Core" support:
  1713. * Gateway (Gateway conformance profile)
  1714. * Service (Mesh conformance profile, ClusterIP Services only)
  1715. Support for other resources is Implementation-Specific.
  1716. type: string
  1717. default: Gateway
  1718. maxLength: 63
  1719. minLength: 1
  1720. pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
  1721. name:
  1722. description: |-
  1723. Name is the name of the referent.
  1724. Support: Core
  1725. type: string
  1726. maxLength: 253
  1727. minLength: 1
  1728. namespace:
  1729. description: |-
  1730. Namespace is the namespace of the referent. When unspecified, this refers
  1731. to the local namespace of the Route.
  1732. Note that there are specific rules for ParentRefs which cross namespace
  1733. boundaries. Cross-namespace references are only valid if they are explicitly
  1734. allowed by something in the namespace they are referring to. For example:
  1735. Gateway has the AllowedRoutes field, and ReferenceGrant provides a
  1736. generic way to enable any other kind of cross-namespace reference.
  1737. <gateway:experimental:description>
  1738. ParentRefs from a Route to a Service in the same namespace are "producer"
  1739. routes, which apply default routing rules to inbound connections from
  1740. any namespace to the Service.
  1741. ParentRefs from a Route to a Service in a different namespace are
  1742. "consumer" routes, and these routing rules are only applied to outbound
  1743. connections originating from the same namespace as the Route, for which
  1744. the intended destination of the connections are a Service targeted as a
  1745. ParentRef of the Route.
  1746. </gateway:experimental:description>
  1747. Support: Core
  1748. type: string
  1749. maxLength: 63
  1750. minLength: 1
  1751. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1752. port:
  1753. description: |-
  1754. Port is the network port this Route targets. It can be interpreted
  1755. differently based on the type of parent resource.
  1756. When the parent resource is a Gateway, this targets all listeners
  1757. listening on the specified port that also support this kind of Route(and
  1758. select this Route). It's not recommended to set `Port` unless the
  1759. networking behaviors specified in a Route must apply to a specific port
  1760. as opposed to a listener(s) whose port(s) may be changed. When both Port
  1761. and SectionName are specified, the name and port of the selected listener
  1762. must match both specified values.
  1763. <gateway:experimental:description>
  1764. When the parent resource is a Service, this targets a specific port in the
  1765. Service spec. When both Port (experimental) and SectionName are specified,
  1766. the name and port of the selected port must match both specified values.
  1767. </gateway:experimental:description>
  1768. Implementations MAY choose to support other parent resources.
  1769. Implementations supporting other types of parent resources MUST clearly
  1770. document how/if Port is interpreted.
  1771. For the purpose of status, an attachment is considered successful as
  1772. long as the parent resource accepts it partially. For example, Gateway
  1773. listeners can restrict which Routes can attach to them by Route kind,
  1774. namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
  1775. from the referencing Route, the Route MUST be considered successfully
  1776. attached. If no Gateway listeners accept attachment from this Route,
  1777. the Route MUST be considered detached from the Gateway.
  1778. Support: Extended
  1779. type: integer
  1780. format: int32
  1781. maximum: 65535
  1782. minimum: 1
  1783. sectionName:
  1784. description: |-
  1785. SectionName is the name of a section within the target resource. In the
  1786. following resources, SectionName is interpreted as the following:
  1787. * Gateway: Listener name. When both Port (experimental) and SectionName
  1788. are specified, the name and port of the selected listener must match
  1789. both specified values.
  1790. * Service: Port name. When both Port (experimental) and SectionName
  1791. are specified, the name and port of the selected listener must match
  1792. both specified values.
  1793. Implementations MAY choose to support attaching Routes to other resources.
  1794. If that is the case, they MUST clearly document how SectionName is
  1795. interpreted.
  1796. When unspecified (empty string), this will reference the entire resource.
  1797. For the purpose of status, an attachment is considered successful if at
  1798. least one section in the parent resource accepts it. For example, Gateway
  1799. listeners can restrict which Routes can attach to them by Route kind,
  1800. namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
  1801. the referencing Route, the Route MUST be considered successfully
  1802. attached. If no Gateway listeners accept attachment from this Route, the
  1803. Route MUST be considered detached from the Gateway.
  1804. Support: Core
  1805. type: string
  1806. maxLength: 253
  1807. minLength: 1
  1808. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1809. serviceType:
  1810. description: |-
  1811. Optional service type for Kubernetes solver service. Supported values
  1812. are NodePort or ClusterIP. If unset, defaults to NodePort.
  1813. type: string
  1814. ingress:
  1815. description: |-
  1816. The ingress based HTTP01 challenge solver will solve challenges by
  1817. creating or modifying Ingress resources in order to route requests for
  1818. '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
  1819. provisioned by cert-manager for each Challenge to be completed.
  1820. type: object
  1821. properties:
  1822. class:
  1823. description: |-
  1824. This field configures the annotation `kubernetes.io/ingress.class` when
  1825. creating Ingress resources to solve ACME challenges that use this
  1826. challenge solver. Only one of `class`, `name` or `ingressClassName` may
  1827. be specified.
  1828. type: string
  1829. ingressClassName:
  1830. description: |-
  1831. This field configures the field `ingressClassName` on the created Ingress
  1832. resources used to solve ACME challenges that use this challenge solver.
  1833. This is the recommended way of configuring the ingress class. Only one of
  1834. `class`, `name` or `ingressClassName` may be specified.
  1835. type: string
  1836. ingressTemplate:
  1837. description: |-
  1838. Optional ingress template used to configure the ACME challenge solver
  1839. ingress used for HTTP01 challenges.
  1840. type: object
  1841. properties:
  1842. metadata:
  1843. description: |-
  1844. ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
  1845. Only the 'labels' and 'annotations' fields may be set.
  1846. If labels or annotations overlap with in-built values, the values here
  1847. will override the in-built values.
  1848. type: object
  1849. properties:
  1850. annotations:
  1851. description: Annotations that should be added to the created ACME HTTP01 solver ingress.
  1852. type: object
  1853. additionalProperties:
  1854. type: string
  1855. labels:
  1856. description: Labels that should be added to the created ACME HTTP01 solver ingress.
  1857. type: object
  1858. additionalProperties:
  1859. type: string
  1860. name:
  1861. description: |-
  1862. The name of the ingress resource that should have ACME challenge solving
  1863. routes inserted into it in order to solve HTTP01 challenges.
  1864. This is typically used in conjunction with ingress controllers like
  1865. ingress-gce, which maintains a 1:1 mapping between external IPs and
  1866. ingress resources. Only one of `class`, `name` or `ingressClassName` may
  1867. be specified.
  1868. type: string
  1869. podTemplate:
  1870. description: |-
  1871. Optional pod template used to configure the ACME challenge solver pods
  1872. used for HTTP01 challenges.
  1873. type: object
  1874. properties:
  1875. metadata:
  1876. description: |-
  1877. ObjectMeta overrides for the pod used to solve HTTP01 challenges.
  1878. Only the 'labels' and 'annotations' fields may be set.
  1879. If labels or annotations overlap with in-built values, the values here
  1880. will override the in-built values.
  1881. type: object
  1882. properties:
  1883. annotations:
  1884. description: Annotations that should be added to the create ACME HTTP01 solver pods.
  1885. type: object
  1886. additionalProperties:
  1887. type: string
  1888. labels:
  1889. description: Labels that should be added to the created ACME HTTP01 solver pods.
  1890. type: object
  1891. additionalProperties:
  1892. type: string
  1893. spec:
  1894. description: |-
  1895. PodSpec defines overrides for the HTTP01 challenge solver pod.
  1896. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
  1897. All other fields will be ignored.
  1898. type: object
  1899. properties:
  1900. affinity:
  1901. description: If specified, the pod's scheduling constraints
  1902. type: object
  1903. properties:
  1904. nodeAffinity:
  1905. description: Describes node affinity scheduling rules for the pod.
  1906. type: object
  1907. properties:
  1908. preferredDuringSchedulingIgnoredDuringExecution:
  1909. description: |-
  1910. The scheduler will prefer to schedule pods to nodes that satisfy
  1911. the affinity expressions specified by this field, but it may choose
  1912. a node that violates one or more of the expressions. The node that is
  1913. most preferred is the one with the greatest sum of weights, i.e.
  1914. for each node that meets all of the scheduling requirements (resource
  1915. request, requiredDuringScheduling affinity expressions, etc.),
  1916. compute a sum by iterating through the elements of this field and adding
  1917. "weight" to the sum if the node matches the corresponding matchExpressions; the
  1918. node(s) with the highest sum are the most preferred.
  1919. type: array
  1920. items:
  1921. description: |-
  1922. An empty preferred scheduling term matches all objects with implicit weight 0
  1923. (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
  1924. type: object
  1925. required:
  1926. - preference
  1927. - weight
  1928. properties:
  1929. preference:
  1930. description: A node selector term, associated with the corresponding weight.
  1931. type: object
  1932. properties:
  1933. matchExpressions:
  1934. description: A list of node selector requirements by node's labels.
  1935. type: array
  1936. items:
  1937. description: |-
  1938. A node selector requirement is a selector that contains values, a key, and an operator
  1939. that relates the key and values.
  1940. type: object
  1941. required:
  1942. - key
  1943. - operator
  1944. properties:
  1945. key:
  1946. description: The label key that the selector applies to.
  1947. type: string
  1948. operator:
  1949. description: |-
  1950. Represents a key's relationship to a set of values.
  1951. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
  1952. type: string
  1953. values:
  1954. description: |-
  1955. An array of string values. If the operator is In or NotIn,
  1956. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1957. the values array must be empty. If the operator is Gt or Lt, the values
  1958. array must have a single element, which will be interpreted as an integer.
  1959. This array is replaced during a strategic merge patch.
  1960. type: array
  1961. items:
  1962. type: string
  1963. x-kubernetes-list-type: atomic
  1964. x-kubernetes-list-type: atomic
  1965. matchFields:
  1966. description: A list of node selector requirements by node's fields.
  1967. type: array
  1968. items:
  1969. description: |-
  1970. A node selector requirement is a selector that contains values, a key, and an operator
  1971. that relates the key and values.
  1972. type: object
  1973. required:
  1974. - key
  1975. - operator
  1976. properties:
  1977. key:
  1978. description: The label key that the selector applies to.
  1979. type: string
  1980. operator:
  1981. description: |-
  1982. Represents a key's relationship to a set of values.
  1983. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
  1984. type: string
  1985. values:
  1986. description: |-
  1987. An array of string values. If the operator is In or NotIn,
  1988. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1989. the values array must be empty. If the operator is Gt or Lt, the values
  1990. array must have a single element, which will be interpreted as an integer.
  1991. This array is replaced during a strategic merge patch.
  1992. type: array
  1993. items:
  1994. type: string
  1995. x-kubernetes-list-type: atomic
  1996. x-kubernetes-list-type: atomic
  1997. x-kubernetes-map-type: atomic
  1998. weight:
  1999. description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
  2000. type: integer
  2001. format: int32
  2002. x-kubernetes-list-type: atomic
  2003. requiredDuringSchedulingIgnoredDuringExecution:
  2004. description: |-
  2005. If the affinity requirements specified by this field are not met at
  2006. scheduling time, the pod will not be scheduled onto the node.
  2007. If the affinity requirements specified by this field cease to be met
  2008. at some point during pod execution (e.g. due to an update), the system
  2009. may or may not try to eventually evict the pod from its node.
  2010. type: object
  2011. required:
  2012. - nodeSelectorTerms
  2013. properties:
  2014. nodeSelectorTerms:
  2015. description: Required. A list of node selector terms. The terms are ORed.
  2016. type: array
  2017. items:
  2018. description: |-
  2019. A null or empty node selector term matches no objects. The requirements of
  2020. them are ANDed.
  2021. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
  2022. type: object
  2023. properties:
  2024. matchExpressions:
  2025. description: A list of node selector requirements by node's labels.
  2026. type: array
  2027. items:
  2028. description: |-
  2029. A node selector requirement is a selector that contains values, a key, and an operator
  2030. that relates the key and values.
  2031. type: object
  2032. required:
  2033. - key
  2034. - operator
  2035. properties:
  2036. key:
  2037. description: The label key that the selector applies to.
  2038. type: string
  2039. operator:
  2040. description: |-
  2041. Represents a key's relationship to a set of values.
  2042. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
  2043. type: string
  2044. values:
  2045. description: |-
  2046. An array of string values. If the operator is In or NotIn,
  2047. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  2048. the values array must be empty. If the operator is Gt or Lt, the values
  2049. array must have a single element, which will be interpreted as an integer.
  2050. This array is replaced during a strategic merge patch.
  2051. type: array
  2052. items:
  2053. type: string
  2054. x-kubernetes-list-type: atomic
  2055. x-kubernetes-list-type: atomic
  2056. matchFields:
  2057. description: A list of node selector requirements by node's fields.
  2058. type: array
  2059. items:
  2060. description: |-
  2061. A node selector requirement is a selector that contains values, a key, and an operator
  2062. that relates the key and values.
  2063. type: object
  2064. required:
  2065. - key
  2066. - operator
  2067. properties:
  2068. key:
  2069. description: The label key that the selector applies to.
  2070. type: string
  2071. operator:
  2072. description: |-
  2073. Represents a key's relationship to a set of values.
  2074. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
  2075. type: string
  2076. values:
  2077. description: |-
  2078. An array of string values. If the operator is In or NotIn,
  2079. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  2080. the values array must be empty. If the operator is Gt or Lt, the values
  2081. array must have a single element, which will be interpreted as an integer.
  2082. This array is replaced during a strategic merge patch.
  2083. type: array
  2084. items:
  2085. type: string
  2086. x-kubernetes-list-type: atomic
  2087. x-kubernetes-list-type: atomic
  2088. x-kubernetes-map-type: atomic
  2089. x-kubernetes-list-type: atomic
  2090. x-kubernetes-map-type: atomic
  2091. podAffinity:
  2092. description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
  2093. type: object
  2094. properties:
  2095. preferredDuringSchedulingIgnoredDuringExecution:
  2096. description: |-
  2097. The scheduler will prefer to schedule pods to nodes that satisfy
  2098. the affinity expressions specified by this field, but it may choose
  2099. a node that violates one or more of the expressions. The node that is
  2100. most preferred is the one with the greatest sum of weights, i.e.
  2101. for each node that meets all of the scheduling requirements (resource
  2102. request, requiredDuringScheduling affinity expressions, etc.),
  2103. compute a sum by iterating through the elements of this field and adding
  2104. "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
  2105. node(s) with the highest sum are the most preferred.
  2106. type: array
  2107. items:
  2108. description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
  2109. type: object
  2110. required:
  2111. - podAffinityTerm
  2112. - weight
  2113. properties:
  2114. podAffinityTerm:
  2115. description: Required. A pod affinity term, associated with the corresponding weight.
  2116. type: object
  2117. required:
  2118. - topologyKey
  2119. properties:
  2120. labelSelector:
  2121. description: |-
  2122. A label query over a set of resources, in this case pods.
  2123. If it's null, this PodAffinityTerm matches with no Pods.
  2124. type: object
  2125. properties:
  2126. matchExpressions:
  2127. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  2128. type: array
  2129. items:
  2130. description: |-
  2131. A label selector requirement is a selector that contains values, a key, and an operator that
  2132. relates the key and values.
  2133. type: object
  2134. required:
  2135. - key
  2136. - operator
  2137. properties:
  2138. key:
  2139. description: key is the label key that the selector applies to.
  2140. type: string
  2141. operator:
  2142. description: |-
  2143. operator represents a key's relationship to a set of values.
  2144. Valid operators are In, NotIn, Exists and DoesNotExist.
  2145. type: string
  2146. values:
  2147. description: |-
  2148. values is an array of string values. If the operator is In or NotIn,
  2149. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  2150. the values array must be empty. This array is replaced during a strategic
  2151. merge patch.
  2152. type: array
  2153. items:
  2154. type: string
  2155. x-kubernetes-list-type: atomic
  2156. x-kubernetes-list-type: atomic
  2157. matchLabels:
  2158. description: |-
  2159. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  2160. map is equivalent to an element of matchExpressions, whose key field is "key", the
  2161. operator is "In", and the values array contains only "value". The requirements are ANDed.
  2162. type: object
  2163. additionalProperties:
  2164. type: string
  2165. x-kubernetes-map-type: atomic
  2166. matchLabelKeys:
  2167. description: |-
  2168. MatchLabelKeys is a set of pod label keys to select which pods will
  2169. be taken into consideration. The keys are used to lookup values from the
  2170. incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
  2171. to select the group of existing pods which pods will be taken into consideration
  2172. for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
  2173. pod labels will be ignored. The default value is empty.
  2174. The same key is forbidden to exist in both matchLabelKeys and labelSelector.
  2175. Also, matchLabelKeys cannot be set when labelSelector isn't set.
  2176. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
  2177. type: array
  2178. items:
  2179. type: string
  2180. x-kubernetes-list-type: atomic
  2181. mismatchLabelKeys:
  2182. description: |-
  2183. MismatchLabelKeys is a set of pod label keys to select which pods will
  2184. be taken into consideration. The keys are used to lookup values from the
  2185. incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
  2186. to select the group of existing pods which pods will be taken into consideration
  2187. for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
  2188. pod labels will be ignored. The default value is empty.
  2189. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
  2190. Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
  2191. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
  2192. type: array
  2193. items:
  2194. type: string
  2195. x-kubernetes-list-type: atomic
  2196. namespaceSelector:
  2197. description: |-
  2198. A label query over the set of namespaces that the term applies to.
  2199. The term is applied to the union of the namespaces selected by this field
  2200. and the ones listed in the namespaces field.
  2201. null selector and null or empty namespaces list means "this pod's namespace".
  2202. An empty selector ({}) matches all namespaces.
  2203. type: object
  2204. properties:
  2205. matchExpressions:
  2206. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  2207. type: array
  2208. items:
  2209. description: |-
  2210. A label selector requirement is a selector that contains values, a key, and an operator that
  2211. relates the key and values.
  2212. type: object
  2213. required:
  2214. - key
  2215. - operator
  2216. properties:
  2217. key:
  2218. description: key is the label key that the selector applies to.
  2219. type: string
  2220. operator:
  2221. description: |-
  2222. operator represents a key's relationship to a set of values.
  2223. Valid operators are In, NotIn, Exists and DoesNotExist.
  2224. type: string
  2225. values:
  2226. description: |-
  2227. values is an array of string values. If the operator is In or NotIn,
  2228. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  2229. the values array must be empty. This array is replaced during a strategic
  2230. merge patch.
  2231. type: array
  2232. items:
  2233. type: string
  2234. x-kubernetes-list-type: atomic
  2235. x-kubernetes-list-type: atomic
  2236. matchLabels:
  2237. description: |-
  2238. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  2239. map is equivalent to an element of matchExpressions, whose key field is "key", the
  2240. operator is "In", and the values array contains only "value". The requirements are ANDed.
  2241. type: object
  2242. additionalProperties:
  2243. type: string
  2244. x-kubernetes-map-type: atomic
  2245. namespaces:
  2246. description: |-
  2247. namespaces specifies a static list of namespace names that the term applies to.
  2248. The term is applied to the union of the namespaces listed in this field
  2249. and the ones selected by namespaceSelector.
  2250. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
  2251. type: array
  2252. items:
  2253. type: string
  2254. x-kubernetes-list-type: atomic
  2255. topologyKey:
  2256. description: |-
  2257. This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
  2258. the labelSelector in the specified namespaces, where co-located is defined as running on a node
  2259. whose value of the label with key topologyKey matches that of any node on which any of the
  2260. selected pods is running.
  2261. Empty topologyKey is not allowed.
  2262. type: string
  2263. weight:
  2264. description: |-
  2265. weight associated with matching the corresponding podAffinityTerm,
  2266. in the range 1-100.
  2267. type: integer
  2268. format: int32
  2269. x-kubernetes-list-type: atomic
  2270. requiredDuringSchedulingIgnoredDuringExecution:
  2271. description: |-
  2272. If the affinity requirements specified by this field are not met at
  2273. scheduling time, the pod will not be scheduled onto the node.
  2274. If the affinity requirements specified by this field cease to be met
  2275. at some point during pod execution (e.g. due to a pod label update), the
  2276. system may or may not try to eventually evict the pod from its node.
  2277. When there are multiple elements, the lists of nodes corresponding to each
  2278. podAffinityTerm are intersected, i.e. all terms must be satisfied.
  2279. type: array
  2280. items:
  2281. description: |-
  2282. Defines a set of pods (namely those matching the labelSelector
  2283. relative to the given namespace(s)) that this pod should be
  2284. co-located (affinity) or not co-located (anti-affinity) with,
  2285. where co-located is defined as running on a node whose value of
  2286. the label with key <topologyKey> matches that of any node on which
  2287. a pod of the set of pods is running
  2288. type: object
  2289. required:
  2290. - topologyKey
  2291. properties:
  2292. labelSelector:
  2293. description: |-
  2294. A label query over a set of resources, in this case pods.
  2295. If it's null, this PodAffinityTerm matches with no Pods.
  2296. type: object
  2297. properties:
  2298. matchExpressions:
  2299. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  2300. type: array
  2301. items:
  2302. description: |-
  2303. A label selector requirement is a selector that contains values, a key, and an operator that
  2304. relates the key and values.
  2305. type: object
  2306. required:
  2307. - key
  2308. - operator
  2309. properties:
  2310. key:
  2311. description: key is the label key that the selector applies to.
  2312. type: string
  2313. operator:
  2314. description: |-
  2315. operator represents a key's relationship to a set of values.
  2316. Valid operators are In, NotIn, Exists and DoesNotExist.
  2317. type: string
  2318. values:
  2319. description: |-
  2320. values is an array of string values. If the operator is In or NotIn,
  2321. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  2322. the values array must be empty. This array is replaced during a strategic
  2323. merge patch.
  2324. type: array
  2325. items:
  2326. type: string
  2327. x-kubernetes-list-type: atomic
  2328. x-kubernetes-list-type: atomic
  2329. matchLabels:
  2330. description: |-
  2331. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  2332. map is equivalent to an element of matchExpressions, whose key field is "key", the
  2333. operator is "In", and the values array contains only "value". The requirements are ANDed.
  2334. type: object
  2335. additionalProperties:
  2336. type: string
  2337. x-kubernetes-map-type: atomic
  2338. matchLabelKeys:
  2339. description: |-
  2340. MatchLabelKeys is a set of pod label keys to select which pods will
  2341. be taken into consideration. The keys are used to lookup values from the
  2342. incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
  2343. to select the group of existing pods which pods will be taken into consideration
  2344. for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
  2345. pod labels will be ignored. The default value is empty.
  2346. The same key is forbidden to exist in both matchLabelKeys and labelSelector.
  2347. Also, matchLabelKeys cannot be set when labelSelector isn't set.
  2348. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
  2349. type: array
  2350. items:
  2351. type: string
  2352. x-kubernetes-list-type: atomic
  2353. mismatchLabelKeys:
  2354. description: |-
  2355. MismatchLabelKeys is a set of pod label keys to select which pods will
  2356. be taken into consideration. The keys are used to lookup values from the
  2357. incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
  2358. to select the group of existing pods which pods will be taken into consideration
  2359. for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
  2360. pod labels will be ignored. The default value is empty.
  2361. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
  2362. Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
  2363. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
  2364. type: array
  2365. items:
  2366. type: string
  2367. x-kubernetes-list-type: atomic
  2368. namespaceSelector:
  2369. description: |-
  2370. A label query over the set of namespaces that the term applies to.
  2371. The term is applied to the union of the namespaces selected by this field
  2372. and the ones listed in the namespaces field.
  2373. null selector and null or empty namespaces list means "this pod's namespace".
  2374. An empty selector ({}) matches all namespaces.
  2375. type: object
  2376. properties:
  2377. matchExpressions:
  2378. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  2379. type: array
  2380. items:
  2381. description: |-
  2382. A label selector requirement is a selector that contains values, a key, and an operator that
  2383. relates the key and values.
  2384. type: object
  2385. required:
  2386. - key
  2387. - operator
  2388. properties:
  2389. key:
  2390. description: key is the label key that the selector applies to.
  2391. type: string
  2392. operator:
  2393. description: |-
  2394. operator represents a key's relationship to a set of values.
  2395. Valid operators are In, NotIn, Exists and DoesNotExist.
  2396. type: string
  2397. values:
  2398. description: |-
  2399. values is an array of string values. If the operator is In or NotIn,
  2400. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  2401. the values array must be empty. This array is replaced during a strategic
  2402. merge patch.
  2403. type: array
  2404. items:
  2405. type: string
  2406. x-kubernetes-list-type: atomic
  2407. x-kubernetes-list-type: atomic
  2408. matchLabels:
  2409. description: |-
  2410. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  2411. map is equivalent to an element of matchExpressions, whose key field is "key", the
  2412. operator is "In", and the values array contains only "value". The requirements are ANDed.
  2413. type: object
  2414. additionalProperties:
  2415. type: string
  2416. x-kubernetes-map-type: atomic
  2417. namespaces:
  2418. description: |-
  2419. namespaces specifies a static list of namespace names that the term applies to.
  2420. The term is applied to the union of the namespaces listed in this field
  2421. and the ones selected by namespaceSelector.
  2422. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
  2423. type: array
  2424. items:
  2425. type: string
  2426. x-kubernetes-list-type: atomic
  2427. topologyKey:
  2428. description: |-
  2429. This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
  2430. the labelSelector in the specified namespaces, where co-located is defined as running on a node
  2431. whose value of the label with key topologyKey matches that of any node on which any of the
  2432. selected pods is running.
  2433. Empty topologyKey is not allowed.
  2434. type: string
  2435. x-kubernetes-list-type: atomic
  2436. podAntiAffinity:
  2437. description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
  2438. type: object
  2439. properties:
  2440. preferredDuringSchedulingIgnoredDuringExecution:
  2441. description: |-
  2442. The scheduler will prefer to schedule pods to nodes that satisfy
  2443. the anti-affinity expressions specified by this field, but it may choose
  2444. a node that violates one or more of the expressions. The node that is
  2445. most preferred is the one with the greatest sum of weights, i.e.
  2446. for each node that meets all of the scheduling requirements (resource
  2447. request, requiredDuringScheduling anti-affinity expressions, etc.),
  2448. compute a sum by iterating through the elements of this field and adding
  2449. "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
  2450. node(s) with the highest sum are the most preferred.
  2451. type: array
  2452. items:
  2453. description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
  2454. type: object
  2455. required:
  2456. - podAffinityTerm
  2457. - weight
  2458. properties:
  2459. podAffinityTerm:
  2460. description: Required. A pod affinity term, associated with the corresponding weight.
  2461. type: object
  2462. required:
  2463. - topologyKey
  2464. properties:
  2465. labelSelector:
  2466. description: |-
  2467. A label query over a set of resources, in this case pods.
  2468. If it's null, this PodAffinityTerm matches with no Pods.
  2469. type: object
  2470. properties:
  2471. matchExpressions:
  2472. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  2473. type: array
  2474. items:
  2475. description: |-
  2476. A label selector requirement is a selector that contains values, a key, and an operator that
  2477. relates the key and values.
  2478. type: object
  2479. required:
  2480. - key
  2481. - operator
  2482. properties:
  2483. key:
  2484. description: key is the label key that the selector applies to.
  2485. type: string
  2486. operator:
  2487. description: |-
  2488. operator represents a key's relationship to a set of values.
  2489. Valid operators are In, NotIn, Exists and DoesNotExist.
  2490. type: string
  2491. values:
  2492. description: |-
  2493. values is an array of string values. If the operator is In or NotIn,
  2494. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  2495. the values array must be empty. This array is replaced during a strategic
  2496. merge patch.
  2497. type: array
  2498. items:
  2499. type: string
  2500. x-kubernetes-list-type: atomic
  2501. x-kubernetes-list-type: atomic
  2502. matchLabels:
  2503. description: |-
  2504. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  2505. map is equivalent to an element of matchExpressions, whose key field is "key", the
  2506. operator is "In", and the values array contains only "value". The requirements are ANDed.
  2507. type: object
  2508. additionalProperties:
  2509. type: string
  2510. x-kubernetes-map-type: atomic
  2511. matchLabelKeys:
  2512. description: |-
  2513. MatchLabelKeys is a set of pod label keys to select which pods will
  2514. be taken into consideration. The keys are used to lookup values from the
  2515. incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
  2516. to select the group of existing pods which pods will be taken into consideration
  2517. for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
  2518. pod labels will be ignored. The default value is empty.
  2519. The same key is forbidden to exist in both matchLabelKeys and labelSelector.
  2520. Also, matchLabelKeys cannot be set when labelSelector isn't set.
  2521. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
  2522. type: array
  2523. items:
  2524. type: string
  2525. x-kubernetes-list-type: atomic
  2526. mismatchLabelKeys:
  2527. description: |-
  2528. MismatchLabelKeys is a set of pod label keys to select which pods will
  2529. be taken into consideration. The keys are used to lookup values from the
  2530. incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
  2531. to select the group of existing pods which pods will be taken into consideration
  2532. for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
  2533. pod labels will be ignored. The default value is empty.
  2534. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
  2535. Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
  2536. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
  2537. type: array
  2538. items:
  2539. type: string
  2540. x-kubernetes-list-type: atomic
  2541. namespaceSelector:
  2542. description: |-
  2543. A label query over the set of namespaces that the term applies to.
  2544. The term is applied to the union of the namespaces selected by this field
  2545. and the ones listed in the namespaces field.
  2546. null selector and null or empty namespaces list means "this pod's namespace".
  2547. An empty selector ({}) matches all namespaces.
  2548. type: object
  2549. properties:
  2550. matchExpressions:
  2551. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  2552. type: array
  2553. items:
  2554. description: |-
  2555. A label selector requirement is a selector that contains values, a key, and an operator that
  2556. relates the key and values.
  2557. type: object
  2558. required:
  2559. - key
  2560. - operator
  2561. properties:
  2562. key:
  2563. description: key is the label key that the selector applies to.
  2564. type: string
  2565. operator:
  2566. description: |-
  2567. operator represents a key's relationship to a set of values.
  2568. Valid operators are In, NotIn, Exists and DoesNotExist.
  2569. type: string
  2570. values:
  2571. description: |-
  2572. values is an array of string values. If the operator is In or NotIn,
  2573. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  2574. the values array must be empty. This array is replaced during a strategic
  2575. merge patch.
  2576. type: array
  2577. items:
  2578. type: string
  2579. x-kubernetes-list-type: atomic
  2580. x-kubernetes-list-type: atomic
  2581. matchLabels:
  2582. description: |-
  2583. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  2584. map is equivalent to an element of matchExpressions, whose key field is "key", the
  2585. operator is "In", and the values array contains only "value". The requirements are ANDed.
  2586. type: object
  2587. additionalProperties:
  2588. type: string
  2589. x-kubernetes-map-type: atomic
  2590. namespaces:
  2591. description: |-
  2592. namespaces specifies a static list of namespace names that the term applies to.
  2593. The term is applied to the union of the namespaces listed in this field
  2594. and the ones selected by namespaceSelector.
  2595. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
  2596. type: array
  2597. items:
  2598. type: string
  2599. x-kubernetes-list-type: atomic
  2600. topologyKey:
  2601. description: |-
  2602. This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
  2603. the labelSelector in the specified namespaces, where co-located is defined as running on a node
  2604. whose value of the label with key topologyKey matches that of any node on which any of the
  2605. selected pods is running.
  2606. Empty topologyKey is not allowed.
  2607. type: string
  2608. weight:
  2609. description: |-
  2610. weight associated with matching the corresponding podAffinityTerm,
  2611. in the range 1-100.
  2612. type: integer
  2613. format: int32
  2614. x-kubernetes-list-type: atomic
  2615. requiredDuringSchedulingIgnoredDuringExecution:
  2616. description: |-
  2617. If the anti-affinity requirements specified by this field are not met at
  2618. scheduling time, the pod will not be scheduled onto the node.
  2619. If the anti-affinity requirements specified by this field cease to be met
  2620. at some point during pod execution (e.g. due to a pod label update), the
  2621. system may or may not try to eventually evict the pod from its node.
  2622. When there are multiple elements, the lists of nodes corresponding to each
  2623. podAffinityTerm are intersected, i.e. all terms must be satisfied.
  2624. type: array
  2625. items:
  2626. description: |-
  2627. Defines a set of pods (namely those matching the labelSelector
  2628. relative to the given namespace(s)) that this pod should be
  2629. co-located (affinity) or not co-located (anti-affinity) with,
  2630. where co-located is defined as running on a node whose value of
  2631. the label with key <topologyKey> matches that of any node on which
  2632. a pod of the set of pods is running
  2633. type: object
  2634. required:
  2635. - topologyKey
  2636. properties:
  2637. labelSelector:
  2638. description: |-
  2639. A label query over a set of resources, in this case pods.
  2640. If it's null, this PodAffinityTerm matches with no Pods.
  2641. type: object
  2642. properties:
  2643. matchExpressions:
  2644. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  2645. type: array
  2646. items:
  2647. description: |-
  2648. A label selector requirement is a selector that contains values, a key, and an operator that
  2649. relates the key and values.
  2650. type: object
  2651. required:
  2652. - key
  2653. - operator
  2654. properties:
  2655. key:
  2656. description: key is the label key that the selector applies to.
  2657. type: string
  2658. operator:
  2659. description: |-
  2660. operator represents a key's relationship to a set of values.
  2661. Valid operators are In, NotIn, Exists and DoesNotExist.
  2662. type: string
  2663. values:
  2664. description: |-
  2665. values is an array of string values. If the operator is In or NotIn,
  2666. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  2667. the values array must be empty. This array is replaced during a strategic
  2668. merge patch.
  2669. type: array
  2670. items:
  2671. type: string
  2672. x-kubernetes-list-type: atomic
  2673. x-kubernetes-list-type: atomic
  2674. matchLabels:
  2675. description: |-
  2676. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  2677. map is equivalent to an element of matchExpressions, whose key field is "key", the
  2678. operator is "In", and the values array contains only "value". The requirements are ANDed.
  2679. type: object
  2680. additionalProperties:
  2681. type: string
  2682. x-kubernetes-map-type: atomic
  2683. matchLabelKeys:
  2684. description: |-
  2685. MatchLabelKeys is a set of pod label keys to select which pods will
  2686. be taken into consideration. The keys are used to lookup values from the
  2687. incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
  2688. to select the group of existing pods which pods will be taken into consideration
  2689. for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
  2690. pod labels will be ignored. The default value is empty.
  2691. The same key is forbidden to exist in both matchLabelKeys and labelSelector.
  2692. Also, matchLabelKeys cannot be set when labelSelector isn't set.
  2693. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
  2694. type: array
  2695. items:
  2696. type: string
  2697. x-kubernetes-list-type: atomic
  2698. mismatchLabelKeys:
  2699. description: |-
  2700. MismatchLabelKeys is a set of pod label keys to select which pods will
  2701. be taken into consideration. The keys are used to lookup values from the
  2702. incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
  2703. to select the group of existing pods which pods will be taken into consideration
  2704. for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
  2705. pod labels will be ignored. The default value is empty.
  2706. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
  2707. Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
  2708. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
  2709. type: array
  2710. items:
  2711. type: string
  2712. x-kubernetes-list-type: atomic
  2713. namespaceSelector:
  2714. description: |-
  2715. A label query over the set of namespaces that the term applies to.
  2716. The term is applied to the union of the namespaces selected by this field
  2717. and the ones listed in the namespaces field.
  2718. null selector and null or empty namespaces list means "this pod's namespace".
  2719. An empty selector ({}) matches all namespaces.
  2720. type: object
  2721. properties:
  2722. matchExpressions:
  2723. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  2724. type: array
  2725. items:
  2726. description: |-
  2727. A label selector requirement is a selector that contains values, a key, and an operator that
  2728. relates the key and values.
  2729. type: object
  2730. required:
  2731. - key
  2732. - operator
  2733. properties:
  2734. key:
  2735. description: key is the label key that the selector applies to.
  2736. type: string
  2737. operator:
  2738. description: |-
  2739. operator represents a key's relationship to a set of values.
  2740. Valid operators are In, NotIn, Exists and DoesNotExist.
  2741. type: string
  2742. values:
  2743. description: |-
  2744. values is an array of string values. If the operator is In or NotIn,
  2745. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  2746. the values array must be empty. This array is replaced during a strategic
  2747. merge patch.
  2748. type: array
  2749. items:
  2750. type: string
  2751. x-kubernetes-list-type: atomic
  2752. x-kubernetes-list-type: atomic
  2753. matchLabels:
  2754. description: |-
  2755. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  2756. map is equivalent to an element of matchExpressions, whose key field is "key", the
  2757. operator is "In", and the values array contains only "value". The requirements are ANDed.
  2758. type: object
  2759. additionalProperties:
  2760. type: string
  2761. x-kubernetes-map-type: atomic
  2762. namespaces:
  2763. description: |-
  2764. namespaces specifies a static list of namespace names that the term applies to.
  2765. The term is applied to the union of the namespaces listed in this field
  2766. and the ones selected by namespaceSelector.
  2767. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
  2768. type: array
  2769. items:
  2770. type: string
  2771. x-kubernetes-list-type: atomic
  2772. topologyKey:
  2773. description: |-
  2774. This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
  2775. the labelSelector in the specified namespaces, where co-located is defined as running on a node
  2776. whose value of the label with key topologyKey matches that of any node on which any of the
  2777. selected pods is running.
  2778. Empty topologyKey is not allowed.
  2779. type: string
  2780. x-kubernetes-list-type: atomic
  2781. imagePullSecrets:
  2782. description: If specified, the pod's imagePullSecrets
  2783. type: array
  2784. items:
  2785. description: |-
  2786. LocalObjectReference contains enough information to let you locate the
  2787. referenced object inside the same namespace.
  2788. type: object
  2789. properties:
  2790. name:
  2791. description: |-
  2792. Name of the referent.
  2793. This field is effectively required, but due to backwards compatibility is
  2794. allowed to be empty. Instances of this type with an empty value here are
  2795. almost certainly wrong.
  2796. TODO: Add other useful fields. apiVersion, kind, uid?
  2797. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  2798. TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
  2799. type: string
  2800. default: ""
  2801. x-kubernetes-map-type: atomic
  2802. nodeSelector:
  2803. description: |-
  2804. NodeSelector is a selector which must be true for the pod to fit on a node.
  2805. Selector which must match a node's labels for the pod to be scheduled on that node.
  2806. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
  2807. type: object
  2808. additionalProperties:
  2809. type: string
  2810. priorityClassName:
  2811. description: If specified, the pod's priorityClassName.
  2812. type: string
  2813. serviceAccountName:
  2814. description: If specified, the pod's service account
  2815. type: string
  2816. tolerations:
  2817. description: If specified, the pod's tolerations.
  2818. type: array
  2819. items:
  2820. description: |-
  2821. The pod this Toleration is attached to tolerates any taint that matches
  2822. the triple <key,value,effect> using the matching operator <operator>.
  2823. type: object
  2824. properties:
  2825. effect:
  2826. description: |-
  2827. Effect indicates the taint effect to match. Empty means match all taint effects.
  2828. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
  2829. type: string
  2830. key:
  2831. description: |-
  2832. Key is the taint key that the toleration applies to. Empty means match all taint keys.
  2833. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
  2834. type: string
  2835. operator:
  2836. description: |-
  2837. Operator represents a key's relationship to the value.
  2838. Valid operators are Exists and Equal. Defaults to Equal.
  2839. Exists is equivalent to wildcard for value, so that a pod can
  2840. tolerate all taints of a particular category.
  2841. type: string
  2842. tolerationSeconds:
  2843. description: |-
  2844. TolerationSeconds represents the period of time the toleration (which must be
  2845. of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
  2846. it is not set, which means tolerate the taint forever (do not evict). Zero and
  2847. negative values will be treated as 0 (evict immediately) by the system.
  2848. type: integer
  2849. format: int64
  2850. value:
  2851. description: |-
  2852. Value is the taint value the toleration matches to.
  2853. If the operator is Exists, the value should be empty, otherwise just a regular string.
  2854. type: string
  2855. serviceType:
  2856. description: |-
  2857. Optional service type for Kubernetes solver service. Supported values
  2858. are NodePort or ClusterIP. If unset, defaults to NodePort.
  2859. type: string
  2860. selector:
  2861. description: |-
  2862. Selector selects a set of DNSNames on the Certificate resource that
  2863. should be solved using this challenge solver.
  2864. If not specified, the solver will be treated as the 'default' solver
  2865. with the lowest priority, i.e. if any other solver has a more specific
  2866. match, it will be used instead.
  2867. type: object
  2868. properties:
  2869. dnsNames:
  2870. description: |-
  2871. List of DNSNames that this solver will be used to solve.
  2872. If specified and a match is found, a dnsNames selector will take
  2873. precedence over a dnsZones selector.
  2874. If multiple solvers match with the same dnsNames value, the solver
  2875. with the most matching labels in matchLabels will be selected.
  2876. If neither has more matches, the solver defined earlier in the list
  2877. will be selected.
  2878. type: array
  2879. items:
  2880. type: string
  2881. dnsZones:
  2882. description: |-
  2883. List of DNSZones that this solver will be used to solve.
  2884. The most specific DNS zone match specified here will take precedence
  2885. over other DNS zone matches, so a solver specifying sys.example.com
  2886. will be selected over one specifying example.com for the domain
  2887. www.sys.example.com.
  2888. If multiple solvers match with the same dnsZones value, the solver
  2889. with the most matching labels in matchLabels will be selected.
  2890. If neither has more matches, the solver defined earlier in the list
  2891. will be selected.
  2892. type: array
  2893. items:
  2894. type: string
  2895. matchLabels:
  2896. description: |-
  2897. A label selector that is used to refine the set of certificate's that
  2898. this challenge solver will apply to.
  2899. type: object
  2900. additionalProperties:
  2901. type: string
  2902. token:
  2903. description: |-
  2904. The ACME challenge token for this challenge.
  2905. This is the raw value returned from the ACME server.
  2906. type: string
  2907. type:
  2908. description: |-
  2909. The type of ACME challenge this resource represents.
  2910. One of "HTTP-01" or "DNS-01".
  2911. type: string
  2912. enum:
  2913. - HTTP-01
  2914. - DNS-01
  2915. url:
  2916. description: |-
  2917. The URL of the ACME Challenge resource for this challenge.
  2918. This can be used to lookup details about the status of this challenge.
  2919. type: string
  2920. wildcard:
  2921. description: |-
  2922. wildcard will be true if this challenge is for a wildcard identifier,
  2923. for example '*.example.com'.
  2924. type: boolean
  2925. status:
  2926. type: object
  2927. properties:
  2928. presented:
  2929. description: |-
  2930. presented will be set to true if the challenge values for this challenge
  2931. are currently 'presented'.
  2932. This *does not* imply the self check is passing. Only that the values
  2933. have been 'submitted' for the appropriate challenge mechanism (i.e. the
  2934. DNS01 TXT record has been presented, or the HTTP01 configuration has been
  2935. configured).
  2936. type: boolean
  2937. processing:
  2938. description: |-
  2939. Used to denote whether this challenge should be processed or not.
  2940. This field will only be set to true by the 'scheduling' component.
  2941. It will only be set to false by the 'challenges' controller, after the
  2942. challenge has reached a final state or timed out.
  2943. If this field is set to false, the challenge controller will not take
  2944. any more action.
  2945. type: boolean
  2946. reason:
  2947. description: |-
  2948. Contains human readable information on why the Challenge is in the
  2949. current state.
  2950. type: string
  2951. state:
  2952. description: |-
  2953. Contains the current 'state' of the challenge.
  2954. If not set, the state of the challenge is unknown.
  2955. type: string
  2956. enum:
  2957. - valid
  2958. - ready
  2959. - pending
  2960. - processing
  2961. - invalid
  2962. - expired
  2963. - errored
  2964. served: true
  2965. storage: true
  2966. subresources:
  2967. status: {}
  2968. # END crd
  2969. ---
  2970. # Source: cert-manager/templates/crds.yaml
  2971. # START crd
  2972. apiVersion: apiextensions.k8s.io/v1
  2973. kind: CustomResourceDefinition
  2974. metadata:
  2975. name: clusterissuers.cert-manager.io
  2976. # START annotations
  2977. annotations:
  2978. helm.sh/resource-policy: keep
  2979. # END annotations
  2980. labels:
  2981. app: 'cert-manager'
  2982. app.kubernetes.io/name: 'cert-manager'
  2983. app.kubernetes.io/instance: 'cert-manager'
  2984. # Generated labels
  2985. app.kubernetes.io/version: "v1.15.2"
  2986. spec:
  2987. group: cert-manager.io
  2988. names:
  2989. kind: ClusterIssuer
  2990. listKind: ClusterIssuerList
  2991. plural: clusterissuers
  2992. singular: clusterissuer
  2993. categories:
  2994. - cert-manager
  2995. scope: Cluster
  2996. versions:
  2997. - name: v1
  2998. subresources:
  2999. status: {}
  3000. additionalPrinterColumns:
  3001. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  3002. name: Ready
  3003. type: string
  3004. - jsonPath: .status.conditions[?(@.type=="Ready")].message
  3005. name: Status
  3006. priority: 1
  3007. type: string
  3008. - jsonPath: .metadata.creationTimestamp
  3009. description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
  3010. name: Age
  3011. type: date
  3012. schema:
  3013. openAPIV3Schema:
  3014. description: |-
  3015. A ClusterIssuer represents a certificate issuing authority which can be
  3016. referenced as part of `issuerRef` fields.
  3017. It is similar to an Issuer, however it is cluster-scoped and therefore can
  3018. be referenced by resources that exist in *any* namespace, not just the same
  3019. namespace as the referent.
  3020. type: object
  3021. required:
  3022. - spec
  3023. properties:
  3024. apiVersion:
  3025. description: |-
  3026. APIVersion defines the versioned schema of this representation of an object.
  3027. Servers should convert recognized schemas to the latest internal value, and
  3028. may reject unrecognized values.
  3029. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  3030. type: string
  3031. kind:
  3032. description: |-
  3033. Kind is a string value representing the REST resource this object represents.
  3034. Servers may infer this from the endpoint the client submits requests to.
  3035. Cannot be updated.
  3036. In CamelCase.
  3037. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  3038. type: string
  3039. metadata:
  3040. type: object
  3041. spec:
  3042. description: Desired state of the ClusterIssuer resource.
  3043. type: object
  3044. properties:
  3045. acme:
  3046. description: |-
  3047. ACME configures this issuer to communicate with a RFC8555 (ACME) server
  3048. to obtain signed x509 certificates.
  3049. type: object
  3050. required:
  3051. - privateKeySecretRef
  3052. - server
  3053. properties:
  3054. caBundle:
  3055. description: |-
  3056. Base64-encoded bundle of PEM CAs which can be used to validate the certificate
  3057. chain presented by the ACME server.
  3058. Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various
  3059. kinds of security vulnerabilities.
  3060. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
  3061. the container is used to validate the TLS connection.
  3062. type: string
  3063. format: byte
  3064. disableAccountKeyGeneration:
  3065. description: |-
  3066. Enables or disables generating a new ACME account key.
  3067. If true, the Issuer resource will *not* request a new account but will expect
  3068. the account key to be supplied via an existing secret.
  3069. If false, the cert-manager system will generate a new ACME account key
  3070. for the Issuer.
  3071. Defaults to false.
  3072. type: boolean
  3073. email:
  3074. description: |-
  3075. Email is the email address to be associated with the ACME account.
  3076. This field is optional, but it is strongly recommended to be set.
  3077. It will be used to contact you in case of issues with your account or
  3078. certificates, including expiry notification emails.
  3079. This field may be updated after the account is initially registered.
  3080. type: string
  3081. enableDurationFeature:
  3082. description: |-
  3083. Enables requesting a Not After date on certificates that matches the
  3084. duration of the certificate. This is not supported by all ACME servers
  3085. like Let's Encrypt. If set to true when the ACME server does not support
  3086. it, it will create an error on the Order.
  3087. Defaults to false.
  3088. type: boolean
  3089. externalAccountBinding:
  3090. description: |-
  3091. ExternalAccountBinding is a reference to a CA external account of the ACME
  3092. server.
  3093. If set, upon registration cert-manager will attempt to associate the given
  3094. external account credentials with the registered ACME account.
  3095. type: object
  3096. required:
  3097. - keyID
  3098. - keySecretRef
  3099. properties:
  3100. keyAlgorithm:
  3101. description: |-
  3102. Deprecated: keyAlgorithm field exists for historical compatibility
  3103. reasons and should not be used. The algorithm is now hardcoded to HS256
  3104. in golang/x/crypto/acme.
  3105. type: string
  3106. enum:
  3107. - HS256
  3108. - HS384
  3109. - HS512
  3110. keyID:
  3111. description: keyID is the ID of the CA key that the External Account is bound to.
  3112. type: string
  3113. keySecretRef:
  3114. description: |-
  3115. keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes
  3116. Secret which holds the symmetric MAC key of the External Account Binding.
  3117. The `key` is the index string that is paired with the key data in the
  3118. Secret and should not be confused with the key data itself, or indeed with
  3119. the External Account Binding keyID above.
  3120. The secret key stored in the Secret **must** be un-padded, base64 URL
  3121. encoded data.
  3122. type: object
  3123. required:
  3124. - name
  3125. properties:
  3126. key:
  3127. description: |-
  3128. The key of the entry in the Secret resource's `data` field to be used.
  3129. Some instances of this field may be defaulted, in others it may be
  3130. required.
  3131. type: string
  3132. name:
  3133. description: |-
  3134. Name of the resource being referred to.
  3135. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  3136. type: string
  3137. preferredChain:
  3138. description: |-
  3139. PreferredChain is the chain to use if the ACME server outputs multiple.
  3140. PreferredChain is no guarantee that this one gets delivered by the ACME
  3141. endpoint.
  3142. For example, for Let's Encrypt's DST crosssign you would use:
  3143. "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA.
  3144. This value picks the first certificate bundle in the combined set of
  3145. ACME default and alternative chains that has a root-most certificate with
  3146. this value as its issuer's commonname.
  3147. type: string
  3148. maxLength: 64
  3149. privateKeySecretRef:
  3150. description: |-
  3151. PrivateKey is the name of a Kubernetes Secret resource that will be used to
  3152. store the automatically generated ACME account private key.
  3153. Optionally, a `key` may be specified to select a specific entry within
  3154. the named Secret resource.
  3155. If `key` is not specified, a default of `tls.key` will be used.
  3156. type: object
  3157. required:
  3158. - name
  3159. properties:
  3160. key:
  3161. description: |-
  3162. The key of the entry in the Secret resource's `data` field to be used.
  3163. Some instances of this field may be defaulted, in others it may be
  3164. required.
  3165. type: string
  3166. name:
  3167. description: |-
  3168. Name of the resource being referred to.
  3169. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  3170. type: string
  3171. server:
  3172. description: |-
  3173. Server is the URL used to access the ACME server's 'directory' endpoint.
  3174. For example, for Let's Encrypt's staging endpoint, you would use:
  3175. "https://acme-staging-v02.api.letsencrypt.org/directory".
  3176. Only ACME v2 endpoints (i.e. RFC 8555) are supported.
  3177. type: string
  3178. skipTLSVerify:
  3179. description: |-
  3180. INSECURE: Enables or disables validation of the ACME server TLS certificate.
  3181. If true, requests to the ACME server will not have the TLS certificate chain
  3182. validated.
  3183. Mutually exclusive with CABundle; prefer using CABundle to prevent various
  3184. kinds of security vulnerabilities.
  3185. Only enable this option in development environments.
  3186. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
  3187. the container is used to validate the TLS connection.
  3188. Defaults to false.
  3189. type: boolean
  3190. solvers:
  3191. description: |-
  3192. Solvers is a list of challenge solvers that will be used to solve
  3193. ACME challenges for the matching domains.
  3194. Solver configurations must be provided in order to obtain certificates
  3195. from an ACME server.
  3196. For more information, see: https://cert-manager.io/docs/configuration/acme/
  3197. type: array
  3198. items:
  3199. description: |-
  3200. An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of.
  3201. A selector may be provided to use different solving strategies for different DNS names.
  3202. Only one of HTTP01 or DNS01 must be provided.
  3203. type: object
  3204. properties:
  3205. dns01:
  3206. description: |-
  3207. Configures cert-manager to attempt to complete authorizations by
  3208. performing the DNS01 challenge flow.
  3209. type: object
  3210. properties:
  3211. acmeDNS:
  3212. description: |-
  3213. Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
  3214. DNS01 challenge records.
  3215. type: object
  3216. required:
  3217. - accountSecretRef
  3218. - host
  3219. properties:
  3220. accountSecretRef:
  3221. description: |-
  3222. A reference to a specific 'key' within a Secret resource.
  3223. In some instances, `key` is a required field.
  3224. type: object
  3225. required:
  3226. - name
  3227. properties:
  3228. key:
  3229. description: |-
  3230. The key of the entry in the Secret resource's `data` field to be used.
  3231. Some instances of this field may be defaulted, in others it may be
  3232. required.
  3233. type: string
  3234. name:
  3235. description: |-
  3236. Name of the resource being referred to.
  3237. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  3238. type: string
  3239. host:
  3240. type: string
  3241. akamai:
  3242. description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
  3243. type: object
  3244. required:
  3245. - accessTokenSecretRef
  3246. - clientSecretSecretRef
  3247. - clientTokenSecretRef
  3248. - serviceConsumerDomain
  3249. properties:
  3250. accessTokenSecretRef:
  3251. description: |-
  3252. A reference to a specific 'key' within a Secret resource.
  3253. In some instances, `key` is a required field.
  3254. type: object
  3255. required:
  3256. - name
  3257. properties:
  3258. key:
  3259. description: |-
  3260. The key of the entry in the Secret resource's `data` field to be used.
  3261. Some instances of this field may be defaulted, in others it may be
  3262. required.
  3263. type: string
  3264. name:
  3265. description: |-
  3266. Name of the resource being referred to.
  3267. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  3268. type: string
  3269. clientSecretSecretRef:
  3270. description: |-
  3271. A reference to a specific 'key' within a Secret resource.
  3272. In some instances, `key` is a required field.
  3273. type: object
  3274. required:
  3275. - name
  3276. properties:
  3277. key:
  3278. description: |-
  3279. The key of the entry in the Secret resource's `data` field to be used.
  3280. Some instances of this field may be defaulted, in others it may be
  3281. required.
  3282. type: string
  3283. name:
  3284. description: |-
  3285. Name of the resource being referred to.
  3286. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  3287. type: string
  3288. clientTokenSecretRef:
  3289. description: |-
  3290. A reference to a specific 'key' within a Secret resource.
  3291. In some instances, `key` is a required field.
  3292. type: object
  3293. required:
  3294. - name
  3295. properties:
  3296. key:
  3297. description: |-
  3298. The key of the entry in the Secret resource's `data` field to be used.
  3299. Some instances of this field may be defaulted, in others it may be
  3300. required.
  3301. type: string
  3302. name:
  3303. description: |-
  3304. Name of the resource being referred to.
  3305. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  3306. type: string
  3307. serviceConsumerDomain:
  3308. type: string
  3309. azureDNS:
  3310. description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
  3311. type: object
  3312. required:
  3313. - resourceGroupName
  3314. - subscriptionID
  3315. properties:
  3316. clientID:
  3317. description: |-
  3318. Auth: Azure Service Principal:
  3319. The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
  3320. If set, ClientSecret and TenantID must also be set.
  3321. type: string
  3322. clientSecretSecretRef:
  3323. description: |-
  3324. Auth: Azure Service Principal:
  3325. A reference to a Secret containing the password associated with the Service Principal.
  3326. If set, ClientID and TenantID must also be set.
  3327. type: object
  3328. required:
  3329. - name
  3330. properties:
  3331. key:
  3332. description: |-
  3333. The key of the entry in the Secret resource's `data` field to be used.
  3334. Some instances of this field may be defaulted, in others it may be
  3335. required.
  3336. type: string
  3337. name:
  3338. description: |-
  3339. Name of the resource being referred to.
  3340. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  3341. type: string
  3342. environment:
  3343. description: name of the Azure environment (default AzurePublicCloud)
  3344. type: string
  3345. enum:
  3346. - AzurePublicCloud
  3347. - AzureChinaCloud
  3348. - AzureGermanCloud
  3349. - AzureUSGovernmentCloud
  3350. hostedZoneName:
  3351. description: name of the DNS zone that should be used
  3352. type: string
  3353. managedIdentity:
  3354. description: |-
  3355. Auth: Azure Workload Identity or Azure Managed Service Identity:
  3356. Settings to enable Azure Workload Identity or Azure Managed Service Identity
  3357. If set, ClientID, ClientSecret and TenantID must not be set.
  3358. type: object
  3359. properties:
  3360. clientID:
  3361. description: client ID of the managed identity, can not be used at the same time as resourceID
  3362. type: string
  3363. resourceID:
  3364. description: |-
  3365. resource ID of the managed identity, can not be used at the same time as clientID
  3366. Cannot be used for Azure Managed Service Identity
  3367. type: string
  3368. resourceGroupName:
  3369. description: resource group the DNS zone is located in
  3370. type: string
  3371. subscriptionID:
  3372. description: ID of the Azure subscription
  3373. type: string
  3374. tenantID:
  3375. description: |-
  3376. Auth: Azure Service Principal:
  3377. The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
  3378. If set, ClientID and ClientSecret must also be set.
  3379. type: string
  3380. cloudDNS:
  3381. description: Use the Google Cloud DNS API to manage DNS01 challenge records.
  3382. type: object
  3383. required:
  3384. - project
  3385. properties:
  3386. hostedZoneName:
  3387. description: |-
  3388. HostedZoneName is an optional field that tells cert-manager in which
  3389. Cloud DNS zone the challenge record has to be created.
  3390. If left empty cert-manager will automatically choose a zone.
  3391. type: string
  3392. project:
  3393. type: string
  3394. serviceAccountSecretRef:
  3395. description: |-
  3396. A reference to a specific 'key' within a Secret resource.
  3397. In some instances, `key` is a required field.
  3398. type: object
  3399. required:
  3400. - name
  3401. properties:
  3402. key:
  3403. description: |-
  3404. The key of the entry in the Secret resource's `data` field to be used.
  3405. Some instances of this field may be defaulted, in others it may be
  3406. required.
  3407. type: string
  3408. name:
  3409. description: |-
  3410. Name of the resource being referred to.
  3411. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  3412. type: string
  3413. cloudflare:
  3414. description: Use the Cloudflare API to manage DNS01 challenge records.
  3415. type: object
  3416. properties:
  3417. apiKeySecretRef:
  3418. description: |-
  3419. API key to use to authenticate with Cloudflare.
  3420. Note: using an API token to authenticate is now the recommended method
  3421. as it allows greater control of permissions.
  3422. type: object
  3423. required:
  3424. - name
  3425. properties:
  3426. key:
  3427. description: |-
  3428. The key of the entry in the Secret resource's `data` field to be used.
  3429. Some instances of this field may be defaulted, in others it may be
  3430. required.
  3431. type: string
  3432. name:
  3433. description: |-
  3434. Name of the resource being referred to.
  3435. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  3436. type: string
  3437. apiTokenSecretRef:
  3438. description: API token used to authenticate with Cloudflare.
  3439. type: object
  3440. required:
  3441. - name
  3442. properties:
  3443. key:
  3444. description: |-
  3445. The key of the entry in the Secret resource's `data` field to be used.
  3446. Some instances of this field may be defaulted, in others it may be
  3447. required.
  3448. type: string
  3449. name:
  3450. description: |-
  3451. Name of the resource being referred to.
  3452. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  3453. type: string
  3454. email:
  3455. description: Email of the account, only required when using API key based authentication.
  3456. type: string
  3457. cnameStrategy:
  3458. description: |-
  3459. CNAMEStrategy configures how the DNS01 provider should handle CNAME
  3460. records when found in DNS zones.
  3461. type: string
  3462. enum:
  3463. - None
  3464. - Follow
  3465. digitalocean:
  3466. description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
  3467. type: object
  3468. required:
  3469. - tokenSecretRef
  3470. properties:
  3471. tokenSecretRef:
  3472. description: |-
  3473. A reference to a specific 'key' within a Secret resource.
  3474. In some instances, `key` is a required field.
  3475. type: object
  3476. required:
  3477. - name
  3478. properties:
  3479. key:
  3480. description: |-
  3481. The key of the entry in the Secret resource's `data` field to be used.
  3482. Some instances of this field may be defaulted, in others it may be
  3483. required.
  3484. type: string
  3485. name:
  3486. description: |-
  3487. Name of the resource being referred to.
  3488. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  3489. type: string
  3490. rfc2136:
  3491. description: |-
  3492. Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
  3493. to manage DNS01 challenge records.
  3494. type: object
  3495. required:
  3496. - nameserver
  3497. properties:
  3498. nameserver:
  3499. description: |-
  3500. The IP address or hostname of an authoritative DNS server supporting
  3501. RFC2136 in the form host:port. If the host is an IPv6 address it must be
  3502. enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
  3503. This field is required.
  3504. type: string
  3505. tsigAlgorithm:
  3506. description: |-
  3507. The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
  3508. when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
  3509. Supported values are (case-insensitive): ``HMACMD5`` (default),
  3510. ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
  3511. type: string
  3512. tsigKeyName:
  3513. description: |-
  3514. The TSIG Key name configured in the DNS.
  3515. If ``tsigSecretSecretRef`` is defined, this field is required.
  3516. type: string
  3517. tsigSecretSecretRef:
  3518. description: |-
  3519. The name of the secret containing the TSIG value.
  3520. If ``tsigKeyName`` is defined, this field is required.
  3521. type: object
  3522. required:
  3523. - name
  3524. properties:
  3525. key:
  3526. description: |-
  3527. The key of the entry in the Secret resource's `data` field to be used.
  3528. Some instances of this field may be defaulted, in others it may be
  3529. required.
  3530. type: string
  3531. name:
  3532. description: |-
  3533. Name of the resource being referred to.
  3534. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  3535. type: string
  3536. route53:
  3537. description: Use the AWS Route53 API to manage DNS01 challenge records.
  3538. type: object
  3539. required:
  3540. - region
  3541. properties:
  3542. accessKeyID:
  3543. description: |-
  3544. The AccessKeyID is used for authentication.
  3545. Cannot be set when SecretAccessKeyID is set.
  3546. If neither the Access Key nor Key ID are set, we fall-back to using env
  3547. vars, shared credentials file or AWS Instance metadata,
  3548. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  3549. type: string
  3550. accessKeyIDSecretRef:
  3551. description: |-
  3552. The SecretAccessKey is used for authentication. If set, pull the AWS
  3553. access key ID from a key within a Kubernetes Secret.
  3554. Cannot be set when AccessKeyID is set.
  3555. If neither the Access Key nor Key ID are set, we fall-back to using env
  3556. vars, shared credentials file or AWS Instance metadata,
  3557. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  3558. type: object
  3559. required:
  3560. - name
  3561. properties:
  3562. key:
  3563. description: |-
  3564. The key of the entry in the Secret resource's `data` field to be used.
  3565. Some instances of this field may be defaulted, in others it may be
  3566. required.
  3567. type: string
  3568. name:
  3569. description: |-
  3570. Name of the resource being referred to.
  3571. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  3572. type: string
  3573. auth:
  3574. description: Auth configures how cert-manager authenticates.
  3575. type: object
  3576. required:
  3577. - kubernetes
  3578. properties:
  3579. kubernetes:
  3580. description: |-
  3581. Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
  3582. by passing a bound ServiceAccount token.
  3583. type: object
  3584. required:
  3585. - serviceAccountRef
  3586. properties:
  3587. serviceAccountRef:
  3588. description: |-
  3589. A reference to a service account that will be used to request a bound
  3590. token (also known as "projected token"). To use this field, you must
  3591. configure an RBAC rule to let cert-manager request a token.
  3592. type: object
  3593. required:
  3594. - name
  3595. properties:
  3596. audiences:
  3597. description: |-
  3598. TokenAudiences is an optional list of audiences to include in the
  3599. token passed to AWS. The default token consisting of the issuer's namespace
  3600. and name is always included.
  3601. If unset the audience defaults to `sts.amazonaws.com`.
  3602. type: array
  3603. items:
  3604. type: string
  3605. name:
  3606. description: Name of the ServiceAccount used to request a token.
  3607. type: string
  3608. hostedZoneID:
  3609. description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
  3610. type: string
  3611. region:
  3612. description: Always set the region when using AccessKeyID and SecretAccessKey
  3613. type: string
  3614. role:
  3615. description: |-
  3616. Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
  3617. or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
  3618. type: string
  3619. secretAccessKeySecretRef:
  3620. description: |-
  3621. The SecretAccessKey is used for authentication.
  3622. If neither the Access Key nor Key ID are set, we fall-back to using env
  3623. vars, shared credentials file or AWS Instance metadata,
  3624. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  3625. type: object
  3626. required:
  3627. - name
  3628. properties:
  3629. key:
  3630. description: |-
  3631. The key of the entry in the Secret resource's `data` field to be used.
  3632. Some instances of this field may be defaulted, in others it may be
  3633. required.
  3634. type: string
  3635. name:
  3636. description: |-
  3637. Name of the resource being referred to.
  3638. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  3639. type: string
  3640. webhook:
  3641. description: |-
  3642. Configure an external webhook based DNS01 challenge solver to manage
  3643. DNS01 challenge records.
  3644. type: object
  3645. required:
  3646. - groupName
  3647. - solverName
  3648. properties:
  3649. config:
  3650. description: |-
  3651. Additional configuration that should be passed to the webhook apiserver
  3652. when challenges are processed.
  3653. This can contain arbitrary JSON data.
  3654. Secret values should not be specified in this stanza.
  3655. If secret values are needed (e.g. credentials for a DNS service), you
  3656. should use a SecretKeySelector to reference a Secret resource.
  3657. For details on the schema of this field, consult the webhook provider
  3658. implementation's documentation.
  3659. x-kubernetes-preserve-unknown-fields: true
  3660. groupName:
  3661. description: |-
  3662. The API group name that should be used when POSTing ChallengePayload
  3663. resources to the webhook apiserver.
  3664. This should be the same as the GroupName specified in the webhook
  3665. provider implementation.
  3666. type: string
  3667. solverName:
  3668. description: |-
  3669. The name of the solver to use, as defined in the webhook provider
  3670. implementation.
  3671. This will typically be the name of the provider, e.g. 'cloudflare'.
  3672. type: string
  3673. http01:
  3674. description: |-
  3675. Configures cert-manager to attempt to complete authorizations by
  3676. performing the HTTP01 challenge flow.
  3677. It is not possible to obtain certificates for wildcard domain names
  3678. (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
  3679. type: object
  3680. properties:
  3681. gatewayHTTPRoute:
  3682. description: |-
  3683. The Gateway API is a sig-network community API that models service networking
  3684. in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
  3685. create HTTPRoutes with the specified labels in the same namespace as the challenge.
  3686. This solver is experimental, and fields / behaviour may change in the future.
  3687. type: object
  3688. properties:
  3689. labels:
  3690. description: |-
  3691. Custom labels that will be applied to HTTPRoutes created by cert-manager
  3692. while solving HTTP-01 challenges.
  3693. type: object
  3694. additionalProperties:
  3695. type: string
  3696. parentRefs:
  3697. description: |-
  3698. When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
  3699. cert-manager needs to know which parentRefs should be used when creating
  3700. the HTTPRoute. Usually, the parentRef references a Gateway. See:
  3701. https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
  3702. type: array
  3703. items:
  3704. description: |-
  3705. ParentReference identifies an API object (usually a Gateway) that can be considered
  3706. a parent of this resource (usually a route). There are two kinds of parent resources
  3707. with "Core" support:
  3708. * Gateway (Gateway conformance profile)
  3709. * Service (Mesh conformance profile, ClusterIP Services only)
  3710. This API may be extended in the future to support additional kinds of parent
  3711. resources.
  3712. The API object must be valid in the cluster; the Group and Kind must
  3713. be registered in the cluster for this reference to be valid.
  3714. type: object
  3715. required:
  3716. - name
  3717. properties:
  3718. group:
  3719. description: |-
  3720. Group is the group of the referent.
  3721. When unspecified, "gateway.networking.k8s.io" is inferred.
  3722. To set the core API group (such as for a "Service" kind referent),
  3723. Group must be explicitly set to "" (empty string).
  3724. Support: Core
  3725. type: string
  3726. default: gateway.networking.k8s.io
  3727. maxLength: 253
  3728. pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3729. kind:
  3730. description: |-
  3731. Kind is kind of the referent.
  3732. There are two kinds of parent resources with "Core" support:
  3733. * Gateway (Gateway conformance profile)
  3734. * Service (Mesh conformance profile, ClusterIP Services only)
  3735. Support for other resources is Implementation-Specific.
  3736. type: string
  3737. default: Gateway
  3738. maxLength: 63
  3739. minLength: 1
  3740. pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
  3741. name:
  3742. description: |-
  3743. Name is the name of the referent.
  3744. Support: Core
  3745. type: string
  3746. maxLength: 253
  3747. minLength: 1
  3748. namespace:
  3749. description: |-
  3750. Namespace is the namespace of the referent. When unspecified, this refers
  3751. to the local namespace of the Route.
  3752. Note that there are specific rules for ParentRefs which cross namespace
  3753. boundaries. Cross-namespace references are only valid if they are explicitly
  3754. allowed by something in the namespace they are referring to. For example:
  3755. Gateway has the AllowedRoutes field, and ReferenceGrant provides a
  3756. generic way to enable any other kind of cross-namespace reference.
  3757. <gateway:experimental:description>
  3758. ParentRefs from a Route to a Service in the same namespace are "producer"
  3759. routes, which apply default routing rules to inbound connections from
  3760. any namespace to the Service.
  3761. ParentRefs from a Route to a Service in a different namespace are
  3762. "consumer" routes, and these routing rules are only applied to outbound
  3763. connections originating from the same namespace as the Route, for which
  3764. the intended destination of the connections are a Service targeted as a
  3765. ParentRef of the Route.
  3766. </gateway:experimental:description>
  3767. Support: Core
  3768. type: string
  3769. maxLength: 63
  3770. minLength: 1
  3771. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3772. port:
  3773. description: |-
  3774. Port is the network port this Route targets. It can be interpreted
  3775. differently based on the type of parent resource.
  3776. When the parent resource is a Gateway, this targets all listeners
  3777. listening on the specified port that also support this kind of Route(and
  3778. select this Route). It's not recommended to set `Port` unless the
  3779. networking behaviors specified in a Route must apply to a specific port
  3780. as opposed to a listener(s) whose port(s) may be changed. When both Port
  3781. and SectionName are specified, the name and port of the selected listener
  3782. must match both specified values.
  3783. <gateway:experimental:description>
  3784. When the parent resource is a Service, this targets a specific port in the
  3785. Service spec. When both Port (experimental) and SectionName are specified,
  3786. the name and port of the selected port must match both specified values.
  3787. </gateway:experimental:description>
  3788. Implementations MAY choose to support other parent resources.
  3789. Implementations supporting other types of parent resources MUST clearly
  3790. document how/if Port is interpreted.
  3791. For the purpose of status, an attachment is considered successful as
  3792. long as the parent resource accepts it partially. For example, Gateway
  3793. listeners can restrict which Routes can attach to them by Route kind,
  3794. namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
  3795. from the referencing Route, the Route MUST be considered successfully
  3796. attached. If no Gateway listeners accept attachment from this Route,
  3797. the Route MUST be considered detached from the Gateway.
  3798. Support: Extended
  3799. type: integer
  3800. format: int32
  3801. maximum: 65535
  3802. minimum: 1
  3803. sectionName:
  3804. description: |-
  3805. SectionName is the name of a section within the target resource. In the
  3806. following resources, SectionName is interpreted as the following:
  3807. * Gateway: Listener name. When both Port (experimental) and SectionName
  3808. are specified, the name and port of the selected listener must match
  3809. both specified values.
  3810. * Service: Port name. When both Port (experimental) and SectionName
  3811. are specified, the name and port of the selected listener must match
  3812. both specified values.
  3813. Implementations MAY choose to support attaching Routes to other resources.
  3814. If that is the case, they MUST clearly document how SectionName is
  3815. interpreted.
  3816. When unspecified (empty string), this will reference the entire resource.
  3817. For the purpose of status, an attachment is considered successful if at
  3818. least one section in the parent resource accepts it. For example, Gateway
  3819. listeners can restrict which Routes can attach to them by Route kind,
  3820. namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
  3821. the referencing Route, the Route MUST be considered successfully
  3822. attached. If no Gateway listeners accept attachment from this Route, the
  3823. Route MUST be considered detached from the Gateway.
  3824. Support: Core
  3825. type: string
  3826. maxLength: 253
  3827. minLength: 1
  3828. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3829. serviceType:
  3830. description: |-
  3831. Optional service type for Kubernetes solver service. Supported values
  3832. are NodePort or ClusterIP. If unset, defaults to NodePort.
  3833. type: string
  3834. ingress:
  3835. description: |-
  3836. The ingress based HTTP01 challenge solver will solve challenges by
  3837. creating or modifying Ingress resources in order to route requests for
  3838. '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
  3839. provisioned by cert-manager for each Challenge to be completed.
  3840. type: object
  3841. properties:
  3842. class:
  3843. description: |-
  3844. This field configures the annotation `kubernetes.io/ingress.class` when
  3845. creating Ingress resources to solve ACME challenges that use this
  3846. challenge solver. Only one of `class`, `name` or `ingressClassName` may
  3847. be specified.
  3848. type: string
  3849. ingressClassName:
  3850. description: |-
  3851. This field configures the field `ingressClassName` on the created Ingress
  3852. resources used to solve ACME challenges that use this challenge solver.
  3853. This is the recommended way of configuring the ingress class. Only one of
  3854. `class`, `name` or `ingressClassName` may be specified.
  3855. type: string
  3856. ingressTemplate:
  3857. description: |-
  3858. Optional ingress template used to configure the ACME challenge solver
  3859. ingress used for HTTP01 challenges.
  3860. type: object
  3861. properties:
  3862. metadata:
  3863. description: |-
  3864. ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
  3865. Only the 'labels' and 'annotations' fields may be set.
  3866. If labels or annotations overlap with in-built values, the values here
  3867. will override the in-built values.
  3868. type: object
  3869. properties:
  3870. annotations:
  3871. description: Annotations that should be added to the created ACME HTTP01 solver ingress.
  3872. type: object
  3873. additionalProperties:
  3874. type: string
  3875. labels:
  3876. description: Labels that should be added to the created ACME HTTP01 solver ingress.
  3877. type: object
  3878. additionalProperties:
  3879. type: string
  3880. name:
  3881. description: |-
  3882. The name of the ingress resource that should have ACME challenge solving
  3883. routes inserted into it in order to solve HTTP01 challenges.
  3884. This is typically used in conjunction with ingress controllers like
  3885. ingress-gce, which maintains a 1:1 mapping between external IPs and
  3886. ingress resources. Only one of `class`, `name` or `ingressClassName` may
  3887. be specified.
  3888. type: string
  3889. podTemplate:
  3890. description: |-
  3891. Optional pod template used to configure the ACME challenge solver pods
  3892. used for HTTP01 challenges.
  3893. type: object
  3894. properties:
  3895. metadata:
  3896. description: |-
  3897. ObjectMeta overrides for the pod used to solve HTTP01 challenges.
  3898. Only the 'labels' and 'annotations' fields may be set.
  3899. If labels or annotations overlap with in-built values, the values here
  3900. will override the in-built values.
  3901. type: object
  3902. properties:
  3903. annotations:
  3904. description: Annotations that should be added to the create ACME HTTP01 solver pods.
  3905. type: object
  3906. additionalProperties:
  3907. type: string
  3908. labels:
  3909. description: Labels that should be added to the created ACME HTTP01 solver pods.
  3910. type: object
  3911. additionalProperties:
  3912. type: string
  3913. spec:
  3914. description: |-
  3915. PodSpec defines overrides for the HTTP01 challenge solver pod.
  3916. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
  3917. All other fields will be ignored.
  3918. type: object
  3919. properties:
  3920. affinity:
  3921. description: If specified, the pod's scheduling constraints
  3922. type: object
  3923. properties:
  3924. nodeAffinity:
  3925. description: Describes node affinity scheduling rules for the pod.
  3926. type: object
  3927. properties:
  3928. preferredDuringSchedulingIgnoredDuringExecution:
  3929. description: |-
  3930. The scheduler will prefer to schedule pods to nodes that satisfy
  3931. the affinity expressions specified by this field, but it may choose
  3932. a node that violates one or more of the expressions. The node that is
  3933. most preferred is the one with the greatest sum of weights, i.e.
  3934. for each node that meets all of the scheduling requirements (resource
  3935. request, requiredDuringScheduling affinity expressions, etc.),
  3936. compute a sum by iterating through the elements of this field and adding
  3937. "weight" to the sum if the node matches the corresponding matchExpressions; the
  3938. node(s) with the highest sum are the most preferred.
  3939. type: array
  3940. items:
  3941. description: |-
  3942. An empty preferred scheduling term matches all objects with implicit weight 0
  3943. (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
  3944. type: object
  3945. required:
  3946. - preference
  3947. - weight
  3948. properties:
  3949. preference:
  3950. description: A node selector term, associated with the corresponding weight.
  3951. type: object
  3952. properties:
  3953. matchExpressions:
  3954. description: A list of node selector requirements by node's labels.
  3955. type: array
  3956. items:
  3957. description: |-
  3958. A node selector requirement is a selector that contains values, a key, and an operator
  3959. that relates the key and values.
  3960. type: object
  3961. required:
  3962. - key
  3963. - operator
  3964. properties:
  3965. key:
  3966. description: The label key that the selector applies to.
  3967. type: string
  3968. operator:
  3969. description: |-
  3970. Represents a key's relationship to a set of values.
  3971. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
  3972. type: string
  3973. values:
  3974. description: |-
  3975. An array of string values. If the operator is In or NotIn,
  3976. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  3977. the values array must be empty. If the operator is Gt or Lt, the values
  3978. array must have a single element, which will be interpreted as an integer.
  3979. This array is replaced during a strategic merge patch.
  3980. type: array
  3981. items:
  3982. type: string
  3983. x-kubernetes-list-type: atomic
  3984. x-kubernetes-list-type: atomic
  3985. matchFields:
  3986. description: A list of node selector requirements by node's fields.
  3987. type: array
  3988. items:
  3989. description: |-
  3990. A node selector requirement is a selector that contains values, a key, and an operator
  3991. that relates the key and values.
  3992. type: object
  3993. required:
  3994. - key
  3995. - operator
  3996. properties:
  3997. key:
  3998. description: The label key that the selector applies to.
  3999. type: string
  4000. operator:
  4001. description: |-
  4002. Represents a key's relationship to a set of values.
  4003. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
  4004. type: string
  4005. values:
  4006. description: |-
  4007. An array of string values. If the operator is In or NotIn,
  4008. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  4009. the values array must be empty. If the operator is Gt or Lt, the values
  4010. array must have a single element, which will be interpreted as an integer.
  4011. This array is replaced during a strategic merge patch.
  4012. type: array
  4013. items:
  4014. type: string
  4015. x-kubernetes-list-type: atomic
  4016. x-kubernetes-list-type: atomic
  4017. x-kubernetes-map-type: atomic
  4018. weight:
  4019. description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
  4020. type: integer
  4021. format: int32
  4022. x-kubernetes-list-type: atomic
  4023. requiredDuringSchedulingIgnoredDuringExecution:
  4024. description: |-
  4025. If the affinity requirements specified by this field are not met at
  4026. scheduling time, the pod will not be scheduled onto the node.
  4027. If the affinity requirements specified by this field cease to be met
  4028. at some point during pod execution (e.g. due to an update), the system
  4029. may or may not try to eventually evict the pod from its node.
  4030. type: object
  4031. required:
  4032. - nodeSelectorTerms
  4033. properties:
  4034. nodeSelectorTerms:
  4035. description: Required. A list of node selector terms. The terms are ORed.
  4036. type: array
  4037. items:
  4038. description: |-
  4039. A null or empty node selector term matches no objects. The requirements of
  4040. them are ANDed.
  4041. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
  4042. type: object
  4043. properties:
  4044. matchExpressions:
  4045. description: A list of node selector requirements by node's labels.
  4046. type: array
  4047. items:
  4048. description: |-
  4049. A node selector requirement is a selector that contains values, a key, and an operator
  4050. that relates the key and values.
  4051. type: object
  4052. required:
  4053. - key
  4054. - operator
  4055. properties:
  4056. key:
  4057. description: The label key that the selector applies to.
  4058. type: string
  4059. operator:
  4060. description: |-
  4061. Represents a key's relationship to a set of values.
  4062. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
  4063. type: string
  4064. values:
  4065. description: |-
  4066. An array of string values. If the operator is In or NotIn,
  4067. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  4068. the values array must be empty. If the operator is Gt or Lt, the values
  4069. array must have a single element, which will be interpreted as an integer.
  4070. This array is replaced during a strategic merge patch.
  4071. type: array
  4072. items:
  4073. type: string
  4074. x-kubernetes-list-type: atomic
  4075. x-kubernetes-list-type: atomic
  4076. matchFields:
  4077. description: A list of node selector requirements by node's fields.
  4078. type: array
  4079. items:
  4080. description: |-
  4081. A node selector requirement is a selector that contains values, a key, and an operator
  4082. that relates the key and values.
  4083. type: object
  4084. required:
  4085. - key
  4086. - operator
  4087. properties:
  4088. key:
  4089. description: The label key that the selector applies to.
  4090. type: string
  4091. operator:
  4092. description: |-
  4093. Represents a key's relationship to a set of values.
  4094. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
  4095. type: string
  4096. values:
  4097. description: |-
  4098. An array of string values. If the operator is In or NotIn,
  4099. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  4100. the values array must be empty. If the operator is Gt or Lt, the values
  4101. array must have a single element, which will be interpreted as an integer.
  4102. This array is replaced during a strategic merge patch.
  4103. type: array
  4104. items:
  4105. type: string
  4106. x-kubernetes-list-type: atomic
  4107. x-kubernetes-list-type: atomic
  4108. x-kubernetes-map-type: atomic
  4109. x-kubernetes-list-type: atomic
  4110. x-kubernetes-map-type: atomic
  4111. podAffinity:
  4112. description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
  4113. type: object
  4114. properties:
  4115. preferredDuringSchedulingIgnoredDuringExecution:
  4116. description: |-
  4117. The scheduler will prefer to schedule pods to nodes that satisfy
  4118. the affinity expressions specified by this field, but it may choose
  4119. a node that violates one or more of the expressions. The node that is
  4120. most preferred is the one with the greatest sum of weights, i.e.
  4121. for each node that meets all of the scheduling requirements (resource
  4122. request, requiredDuringScheduling affinity expressions, etc.),
  4123. compute a sum by iterating through the elements of this field and adding
  4124. "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
  4125. node(s) with the highest sum are the most preferred.
  4126. type: array
  4127. items:
  4128. description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
  4129. type: object
  4130. required:
  4131. - podAffinityTerm
  4132. - weight
  4133. properties:
  4134. podAffinityTerm:
  4135. description: Required. A pod affinity term, associated with the corresponding weight.
  4136. type: object
  4137. required:
  4138. - topologyKey
  4139. properties:
  4140. labelSelector:
  4141. description: |-
  4142. A label query over a set of resources, in this case pods.
  4143. If it's null, this PodAffinityTerm matches with no Pods.
  4144. type: object
  4145. properties:
  4146. matchExpressions:
  4147. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  4148. type: array
  4149. items:
  4150. description: |-
  4151. A label selector requirement is a selector that contains values, a key, and an operator that
  4152. relates the key and values.
  4153. type: object
  4154. required:
  4155. - key
  4156. - operator
  4157. properties:
  4158. key:
  4159. description: key is the label key that the selector applies to.
  4160. type: string
  4161. operator:
  4162. description: |-
  4163. operator represents a key's relationship to a set of values.
  4164. Valid operators are In, NotIn, Exists and DoesNotExist.
  4165. type: string
  4166. values:
  4167. description: |-
  4168. values is an array of string values. If the operator is In or NotIn,
  4169. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  4170. the values array must be empty. This array is replaced during a strategic
  4171. merge patch.
  4172. type: array
  4173. items:
  4174. type: string
  4175. x-kubernetes-list-type: atomic
  4176. x-kubernetes-list-type: atomic
  4177. matchLabels:
  4178. description: |-
  4179. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  4180. map is equivalent to an element of matchExpressions, whose key field is "key", the
  4181. operator is "In", and the values array contains only "value". The requirements are ANDed.
  4182. type: object
  4183. additionalProperties:
  4184. type: string
  4185. x-kubernetes-map-type: atomic
  4186. matchLabelKeys:
  4187. description: |-
  4188. MatchLabelKeys is a set of pod label keys to select which pods will
  4189. be taken into consideration. The keys are used to lookup values from the
  4190. incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
  4191. to select the group of existing pods which pods will be taken into consideration
  4192. for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
  4193. pod labels will be ignored. The default value is empty.
  4194. The same key is forbidden to exist in both matchLabelKeys and labelSelector.
  4195. Also, matchLabelKeys cannot be set when labelSelector isn't set.
  4196. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
  4197. type: array
  4198. items:
  4199. type: string
  4200. x-kubernetes-list-type: atomic
  4201. mismatchLabelKeys:
  4202. description: |-
  4203. MismatchLabelKeys is a set of pod label keys to select which pods will
  4204. be taken into consideration. The keys are used to lookup values from the
  4205. incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
  4206. to select the group of existing pods which pods will be taken into consideration
  4207. for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
  4208. pod labels will be ignored. The default value is empty.
  4209. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
  4210. Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
  4211. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
  4212. type: array
  4213. items:
  4214. type: string
  4215. x-kubernetes-list-type: atomic
  4216. namespaceSelector:
  4217. description: |-
  4218. A label query over the set of namespaces that the term applies to.
  4219. The term is applied to the union of the namespaces selected by this field
  4220. and the ones listed in the namespaces field.
  4221. null selector and null or empty namespaces list means "this pod's namespace".
  4222. An empty selector ({}) matches all namespaces.
  4223. type: object
  4224. properties:
  4225. matchExpressions:
  4226. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  4227. type: array
  4228. items:
  4229. description: |-
  4230. A label selector requirement is a selector that contains values, a key, and an operator that
  4231. relates the key and values.
  4232. type: object
  4233. required:
  4234. - key
  4235. - operator
  4236. properties:
  4237. key:
  4238. description: key is the label key that the selector applies to.
  4239. type: string
  4240. operator:
  4241. description: |-
  4242. operator represents a key's relationship to a set of values.
  4243. Valid operators are In, NotIn, Exists and DoesNotExist.
  4244. type: string
  4245. values:
  4246. description: |-
  4247. values is an array of string values. If the operator is In or NotIn,
  4248. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  4249. the values array must be empty. This array is replaced during a strategic
  4250. merge patch.
  4251. type: array
  4252. items:
  4253. type: string
  4254. x-kubernetes-list-type: atomic
  4255. x-kubernetes-list-type: atomic
  4256. matchLabels:
  4257. description: |-
  4258. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  4259. map is equivalent to an element of matchExpressions, whose key field is "key", the
  4260. operator is "In", and the values array contains only "value". The requirements are ANDed.
  4261. type: object
  4262. additionalProperties:
  4263. type: string
  4264. x-kubernetes-map-type: atomic
  4265. namespaces:
  4266. description: |-
  4267. namespaces specifies a static list of namespace names that the term applies to.
  4268. The term is applied to the union of the namespaces listed in this field
  4269. and the ones selected by namespaceSelector.
  4270. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
  4271. type: array
  4272. items:
  4273. type: string
  4274. x-kubernetes-list-type: atomic
  4275. topologyKey:
  4276. description: |-
  4277. This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
  4278. the labelSelector in the specified namespaces, where co-located is defined as running on a node
  4279. whose value of the label with key topologyKey matches that of any node on which any of the
  4280. selected pods is running.
  4281. Empty topologyKey is not allowed.
  4282. type: string
  4283. weight:
  4284. description: |-
  4285. weight associated with matching the corresponding podAffinityTerm,
  4286. in the range 1-100.
  4287. type: integer
  4288. format: int32
  4289. x-kubernetes-list-type: atomic
  4290. requiredDuringSchedulingIgnoredDuringExecution:
  4291. description: |-
  4292. If the affinity requirements specified by this field are not met at
  4293. scheduling time, the pod will not be scheduled onto the node.
  4294. If the affinity requirements specified by this field cease to be met
  4295. at some point during pod execution (e.g. due to a pod label update), the
  4296. system may or may not try to eventually evict the pod from its node.
  4297. When there are multiple elements, the lists of nodes corresponding to each
  4298. podAffinityTerm are intersected, i.e. all terms must be satisfied.
  4299. type: array
  4300. items:
  4301. description: |-
  4302. Defines a set of pods (namely those matching the labelSelector
  4303. relative to the given namespace(s)) that this pod should be
  4304. co-located (affinity) or not co-located (anti-affinity) with,
  4305. where co-located is defined as running on a node whose value of
  4306. the label with key <topologyKey> matches that of any node on which
  4307. a pod of the set of pods is running
  4308. type: object
  4309. required:
  4310. - topologyKey
  4311. properties:
  4312. labelSelector:
  4313. description: |-
  4314. A label query over a set of resources, in this case pods.
  4315. If it's null, this PodAffinityTerm matches with no Pods.
  4316. type: object
  4317. properties:
  4318. matchExpressions:
  4319. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  4320. type: array
  4321. items:
  4322. description: |-
  4323. A label selector requirement is a selector that contains values, a key, and an operator that
  4324. relates the key and values.
  4325. type: object
  4326. required:
  4327. - key
  4328. - operator
  4329. properties:
  4330. key:
  4331. description: key is the label key that the selector applies to.
  4332. type: string
  4333. operator:
  4334. description: |-
  4335. operator represents a key's relationship to a set of values.
  4336. Valid operators are In, NotIn, Exists and DoesNotExist.
  4337. type: string
  4338. values:
  4339. description: |-
  4340. values is an array of string values. If the operator is In or NotIn,
  4341. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  4342. the values array must be empty. This array is replaced during a strategic
  4343. merge patch.
  4344. type: array
  4345. items:
  4346. type: string
  4347. x-kubernetes-list-type: atomic
  4348. x-kubernetes-list-type: atomic
  4349. matchLabels:
  4350. description: |-
  4351. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  4352. map is equivalent to an element of matchExpressions, whose key field is "key", the
  4353. operator is "In", and the values array contains only "value". The requirements are ANDed.
  4354. type: object
  4355. additionalProperties:
  4356. type: string
  4357. x-kubernetes-map-type: atomic
  4358. matchLabelKeys:
  4359. description: |-
  4360. MatchLabelKeys is a set of pod label keys to select which pods will
  4361. be taken into consideration. The keys are used to lookup values from the
  4362. incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
  4363. to select the group of existing pods which pods will be taken into consideration
  4364. for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
  4365. pod labels will be ignored. The default value is empty.
  4366. The same key is forbidden to exist in both matchLabelKeys and labelSelector.
  4367. Also, matchLabelKeys cannot be set when labelSelector isn't set.
  4368. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
  4369. type: array
  4370. items:
  4371. type: string
  4372. x-kubernetes-list-type: atomic
  4373. mismatchLabelKeys:
  4374. description: |-
  4375. MismatchLabelKeys is a set of pod label keys to select which pods will
  4376. be taken into consideration. The keys are used to lookup values from the
  4377. incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
  4378. to select the group of existing pods which pods will be taken into consideration
  4379. for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
  4380. pod labels will be ignored. The default value is empty.
  4381. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
  4382. Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
  4383. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
  4384. type: array
  4385. items:
  4386. type: string
  4387. x-kubernetes-list-type: atomic
  4388. namespaceSelector:
  4389. description: |-
  4390. A label query over the set of namespaces that the term applies to.
  4391. The term is applied to the union of the namespaces selected by this field
  4392. and the ones listed in the namespaces field.
  4393. null selector and null or empty namespaces list means "this pod's namespace".
  4394. An empty selector ({}) matches all namespaces.
  4395. type: object
  4396. properties:
  4397. matchExpressions:
  4398. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  4399. type: array
  4400. items:
  4401. description: |-
  4402. A label selector requirement is a selector that contains values, a key, and an operator that
  4403. relates the key and values.
  4404. type: object
  4405. required:
  4406. - key
  4407. - operator
  4408. properties:
  4409. key:
  4410. description: key is the label key that the selector applies to.
  4411. type: string
  4412. operator:
  4413. description: |-
  4414. operator represents a key's relationship to a set of values.
  4415. Valid operators are In, NotIn, Exists and DoesNotExist.
  4416. type: string
  4417. values:
  4418. description: |-
  4419. values is an array of string values. If the operator is In or NotIn,
  4420. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  4421. the values array must be empty. This array is replaced during a strategic
  4422. merge patch.
  4423. type: array
  4424. items:
  4425. type: string
  4426. x-kubernetes-list-type: atomic
  4427. x-kubernetes-list-type: atomic
  4428. matchLabels:
  4429. description: |-
  4430. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  4431. map is equivalent to an element of matchExpressions, whose key field is "key", the
  4432. operator is "In", and the values array contains only "value". The requirements are ANDed.
  4433. type: object
  4434. additionalProperties:
  4435. type: string
  4436. x-kubernetes-map-type: atomic
  4437. namespaces:
  4438. description: |-
  4439. namespaces specifies a static list of namespace names that the term applies to.
  4440. The term is applied to the union of the namespaces listed in this field
  4441. and the ones selected by namespaceSelector.
  4442. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
  4443. type: array
  4444. items:
  4445. type: string
  4446. x-kubernetes-list-type: atomic
  4447. topologyKey:
  4448. description: |-
  4449. This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
  4450. the labelSelector in the specified namespaces, where co-located is defined as running on a node
  4451. whose value of the label with key topologyKey matches that of any node on which any of the
  4452. selected pods is running.
  4453. Empty topologyKey is not allowed.
  4454. type: string
  4455. x-kubernetes-list-type: atomic
  4456. podAntiAffinity:
  4457. description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
  4458. type: object
  4459. properties:
  4460. preferredDuringSchedulingIgnoredDuringExecution:
  4461. description: |-
  4462. The scheduler will prefer to schedule pods to nodes that satisfy
  4463. the anti-affinity expressions specified by this field, but it may choose
  4464. a node that violates one or more of the expressions. The node that is
  4465. most preferred is the one with the greatest sum of weights, i.e.
  4466. for each node that meets all of the scheduling requirements (resource
  4467. request, requiredDuringScheduling anti-affinity expressions, etc.),
  4468. compute a sum by iterating through the elements of this field and adding
  4469. "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
  4470. node(s) with the highest sum are the most preferred.
  4471. type: array
  4472. items:
  4473. description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
  4474. type: object
  4475. required:
  4476. - podAffinityTerm
  4477. - weight
  4478. properties:
  4479. podAffinityTerm:
  4480. description: Required. A pod affinity term, associated with the corresponding weight.
  4481. type: object
  4482. required:
  4483. - topologyKey
  4484. properties:
  4485. labelSelector:
  4486. description: |-
  4487. A label query over a set of resources, in this case pods.
  4488. If it's null, this PodAffinityTerm matches with no Pods.
  4489. type: object
  4490. properties:
  4491. matchExpressions:
  4492. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  4493. type: array
  4494. items:
  4495. description: |-
  4496. A label selector requirement is a selector that contains values, a key, and an operator that
  4497. relates the key and values.
  4498. type: object
  4499. required:
  4500. - key
  4501. - operator
  4502. properties:
  4503. key:
  4504. description: key is the label key that the selector applies to.
  4505. type: string
  4506. operator:
  4507. description: |-
  4508. operator represents a key's relationship to a set of values.
  4509. Valid operators are In, NotIn, Exists and DoesNotExist.
  4510. type: string
  4511. values:
  4512. description: |-
  4513. values is an array of string values. If the operator is In or NotIn,
  4514. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  4515. the values array must be empty. This array is replaced during a strategic
  4516. merge patch.
  4517. type: array
  4518. items:
  4519. type: string
  4520. x-kubernetes-list-type: atomic
  4521. x-kubernetes-list-type: atomic
  4522. matchLabels:
  4523. description: |-
  4524. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  4525. map is equivalent to an element of matchExpressions, whose key field is "key", the
  4526. operator is "In", and the values array contains only "value". The requirements are ANDed.
  4527. type: object
  4528. additionalProperties:
  4529. type: string
  4530. x-kubernetes-map-type: atomic
  4531. matchLabelKeys:
  4532. description: |-
  4533. MatchLabelKeys is a set of pod label keys to select which pods will
  4534. be taken into consideration. The keys are used to lookup values from the
  4535. incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
  4536. to select the group of existing pods which pods will be taken into consideration
  4537. for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
  4538. pod labels will be ignored. The default value is empty.
  4539. The same key is forbidden to exist in both matchLabelKeys and labelSelector.
  4540. Also, matchLabelKeys cannot be set when labelSelector isn't set.
  4541. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
  4542. type: array
  4543. items:
  4544. type: string
  4545. x-kubernetes-list-type: atomic
  4546. mismatchLabelKeys:
  4547. description: |-
  4548. MismatchLabelKeys is a set of pod label keys to select which pods will
  4549. be taken into consideration. The keys are used to lookup values from the
  4550. incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
  4551. to select the group of existing pods which pods will be taken into consideration
  4552. for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
  4553. pod labels will be ignored. The default value is empty.
  4554. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
  4555. Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
  4556. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
  4557. type: array
  4558. items:
  4559. type: string
  4560. x-kubernetes-list-type: atomic
  4561. namespaceSelector:
  4562. description: |-
  4563. A label query over the set of namespaces that the term applies to.
  4564. The term is applied to the union of the namespaces selected by this field
  4565. and the ones listed in the namespaces field.
  4566. null selector and null or empty namespaces list means "this pod's namespace".
  4567. An empty selector ({}) matches all namespaces.
  4568. type: object
  4569. properties:
  4570. matchExpressions:
  4571. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  4572. type: array
  4573. items:
  4574. description: |-
  4575. A label selector requirement is a selector that contains values, a key, and an operator that
  4576. relates the key and values.
  4577. type: object
  4578. required:
  4579. - key
  4580. - operator
  4581. properties:
  4582. key:
  4583. description: key is the label key that the selector applies to.
  4584. type: string
  4585. operator:
  4586. description: |-
  4587. operator represents a key's relationship to a set of values.
  4588. Valid operators are In, NotIn, Exists and DoesNotExist.
  4589. type: string
  4590. values:
  4591. description: |-
  4592. values is an array of string values. If the operator is In or NotIn,
  4593. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  4594. the values array must be empty. This array is replaced during a strategic
  4595. merge patch.
  4596. type: array
  4597. items:
  4598. type: string
  4599. x-kubernetes-list-type: atomic
  4600. x-kubernetes-list-type: atomic
  4601. matchLabels:
  4602. description: |-
  4603. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  4604. map is equivalent to an element of matchExpressions, whose key field is "key", the
  4605. operator is "In", and the values array contains only "value". The requirements are ANDed.
  4606. type: object
  4607. additionalProperties:
  4608. type: string
  4609. x-kubernetes-map-type: atomic
  4610. namespaces:
  4611. description: |-
  4612. namespaces specifies a static list of namespace names that the term applies to.
  4613. The term is applied to the union of the namespaces listed in this field
  4614. and the ones selected by namespaceSelector.
  4615. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
  4616. type: array
  4617. items:
  4618. type: string
  4619. x-kubernetes-list-type: atomic
  4620. topologyKey:
  4621. description: |-
  4622. This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
  4623. the labelSelector in the specified namespaces, where co-located is defined as running on a node
  4624. whose value of the label with key topologyKey matches that of any node on which any of the
  4625. selected pods is running.
  4626. Empty topologyKey is not allowed.
  4627. type: string
  4628. weight:
  4629. description: |-
  4630. weight associated with matching the corresponding podAffinityTerm,
  4631. in the range 1-100.
  4632. type: integer
  4633. format: int32
  4634. x-kubernetes-list-type: atomic
  4635. requiredDuringSchedulingIgnoredDuringExecution:
  4636. description: |-
  4637. If the anti-affinity requirements specified by this field are not met at
  4638. scheduling time, the pod will not be scheduled onto the node.
  4639. If the anti-affinity requirements specified by this field cease to be met
  4640. at some point during pod execution (e.g. due to a pod label update), the
  4641. system may or may not try to eventually evict the pod from its node.
  4642. When there are multiple elements, the lists of nodes corresponding to each
  4643. podAffinityTerm are intersected, i.e. all terms must be satisfied.
  4644. type: array
  4645. items:
  4646. description: |-
  4647. Defines a set of pods (namely those matching the labelSelector
  4648. relative to the given namespace(s)) that this pod should be
  4649. co-located (affinity) or not co-located (anti-affinity) with,
  4650. where co-located is defined as running on a node whose value of
  4651. the label with key <topologyKey> matches that of any node on which
  4652. a pod of the set of pods is running
  4653. type: object
  4654. required:
  4655. - topologyKey
  4656. properties:
  4657. labelSelector:
  4658. description: |-
  4659. A label query over a set of resources, in this case pods.
  4660. If it's null, this PodAffinityTerm matches with no Pods.
  4661. type: object
  4662. properties:
  4663. matchExpressions:
  4664. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  4665. type: array
  4666. items:
  4667. description: |-
  4668. A label selector requirement is a selector that contains values, a key, and an operator that
  4669. relates the key and values.
  4670. type: object
  4671. required:
  4672. - key
  4673. - operator
  4674. properties:
  4675. key:
  4676. description: key is the label key that the selector applies to.
  4677. type: string
  4678. operator:
  4679. description: |-
  4680. operator represents a key's relationship to a set of values.
  4681. Valid operators are In, NotIn, Exists and DoesNotExist.
  4682. type: string
  4683. values:
  4684. description: |-
  4685. values is an array of string values. If the operator is In or NotIn,
  4686. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  4687. the values array must be empty. This array is replaced during a strategic
  4688. merge patch.
  4689. type: array
  4690. items:
  4691. type: string
  4692. x-kubernetes-list-type: atomic
  4693. x-kubernetes-list-type: atomic
  4694. matchLabels:
  4695. description: |-
  4696. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  4697. map is equivalent to an element of matchExpressions, whose key field is "key", the
  4698. operator is "In", and the values array contains only "value". The requirements are ANDed.
  4699. type: object
  4700. additionalProperties:
  4701. type: string
  4702. x-kubernetes-map-type: atomic
  4703. matchLabelKeys:
  4704. description: |-
  4705. MatchLabelKeys is a set of pod label keys to select which pods will
  4706. be taken into consideration. The keys are used to lookup values from the
  4707. incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
  4708. to select the group of existing pods which pods will be taken into consideration
  4709. for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
  4710. pod labels will be ignored. The default value is empty.
  4711. The same key is forbidden to exist in both matchLabelKeys and labelSelector.
  4712. Also, matchLabelKeys cannot be set when labelSelector isn't set.
  4713. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
  4714. type: array
  4715. items:
  4716. type: string
  4717. x-kubernetes-list-type: atomic
  4718. mismatchLabelKeys:
  4719. description: |-
  4720. MismatchLabelKeys is a set of pod label keys to select which pods will
  4721. be taken into consideration. The keys are used to lookup values from the
  4722. incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
  4723. to select the group of existing pods which pods will be taken into consideration
  4724. for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
  4725. pod labels will be ignored. The default value is empty.
  4726. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
  4727. Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
  4728. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
  4729. type: array
  4730. items:
  4731. type: string
  4732. x-kubernetes-list-type: atomic
  4733. namespaceSelector:
  4734. description: |-
  4735. A label query over the set of namespaces that the term applies to.
  4736. The term is applied to the union of the namespaces selected by this field
  4737. and the ones listed in the namespaces field.
  4738. null selector and null or empty namespaces list means "this pod's namespace".
  4739. An empty selector ({}) matches all namespaces.
  4740. type: object
  4741. properties:
  4742. matchExpressions:
  4743. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  4744. type: array
  4745. items:
  4746. description: |-
  4747. A label selector requirement is a selector that contains values, a key, and an operator that
  4748. relates the key and values.
  4749. type: object
  4750. required:
  4751. - key
  4752. - operator
  4753. properties:
  4754. key:
  4755. description: key is the label key that the selector applies to.
  4756. type: string
  4757. operator:
  4758. description: |-
  4759. operator represents a key's relationship to a set of values.
  4760. Valid operators are In, NotIn, Exists and DoesNotExist.
  4761. type: string
  4762. values:
  4763. description: |-
  4764. values is an array of string values. If the operator is In or NotIn,
  4765. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  4766. the values array must be empty. This array is replaced during a strategic
  4767. merge patch.
  4768. type: array
  4769. items:
  4770. type: string
  4771. x-kubernetes-list-type: atomic
  4772. x-kubernetes-list-type: atomic
  4773. matchLabels:
  4774. description: |-
  4775. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  4776. map is equivalent to an element of matchExpressions, whose key field is "key", the
  4777. operator is "In", and the values array contains only "value". The requirements are ANDed.
  4778. type: object
  4779. additionalProperties:
  4780. type: string
  4781. x-kubernetes-map-type: atomic
  4782. namespaces:
  4783. description: |-
  4784. namespaces specifies a static list of namespace names that the term applies to.
  4785. The term is applied to the union of the namespaces listed in this field
  4786. and the ones selected by namespaceSelector.
  4787. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
  4788. type: array
  4789. items:
  4790. type: string
  4791. x-kubernetes-list-type: atomic
  4792. topologyKey:
  4793. description: |-
  4794. This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
  4795. the labelSelector in the specified namespaces, where co-located is defined as running on a node
  4796. whose value of the label with key topologyKey matches that of any node on which any of the
  4797. selected pods is running.
  4798. Empty topologyKey is not allowed.
  4799. type: string
  4800. x-kubernetes-list-type: atomic
  4801. imagePullSecrets:
  4802. description: If specified, the pod's imagePullSecrets
  4803. type: array
  4804. items:
  4805. description: |-
  4806. LocalObjectReference contains enough information to let you locate the
  4807. referenced object inside the same namespace.
  4808. type: object
  4809. properties:
  4810. name:
  4811. description: |-
  4812. Name of the referent.
  4813. This field is effectively required, but due to backwards compatibility is
  4814. allowed to be empty. Instances of this type with an empty value here are
  4815. almost certainly wrong.
  4816. TODO: Add other useful fields. apiVersion, kind, uid?
  4817. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  4818. TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
  4819. type: string
  4820. default: ""
  4821. x-kubernetes-map-type: atomic
  4822. nodeSelector:
  4823. description: |-
  4824. NodeSelector is a selector which must be true for the pod to fit on a node.
  4825. Selector which must match a node's labels for the pod to be scheduled on that node.
  4826. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
  4827. type: object
  4828. additionalProperties:
  4829. type: string
  4830. priorityClassName:
  4831. description: If specified, the pod's priorityClassName.
  4832. type: string
  4833. serviceAccountName:
  4834. description: If specified, the pod's service account
  4835. type: string
  4836. tolerations:
  4837. description: If specified, the pod's tolerations.
  4838. type: array
  4839. items:
  4840. description: |-
  4841. The pod this Toleration is attached to tolerates any taint that matches
  4842. the triple <key,value,effect> using the matching operator <operator>.
  4843. type: object
  4844. properties:
  4845. effect:
  4846. description: |-
  4847. Effect indicates the taint effect to match. Empty means match all taint effects.
  4848. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
  4849. type: string
  4850. key:
  4851. description: |-
  4852. Key is the taint key that the toleration applies to. Empty means match all taint keys.
  4853. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
  4854. type: string
  4855. operator:
  4856. description: |-
  4857. Operator represents a key's relationship to the value.
  4858. Valid operators are Exists and Equal. Defaults to Equal.
  4859. Exists is equivalent to wildcard for value, so that a pod can
  4860. tolerate all taints of a particular category.
  4861. type: string
  4862. tolerationSeconds:
  4863. description: |-
  4864. TolerationSeconds represents the period of time the toleration (which must be
  4865. of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
  4866. it is not set, which means tolerate the taint forever (do not evict). Zero and
  4867. negative values will be treated as 0 (evict immediately) by the system.
  4868. type: integer
  4869. format: int64
  4870. value:
  4871. description: |-
  4872. Value is the taint value the toleration matches to.
  4873. If the operator is Exists, the value should be empty, otherwise just a regular string.
  4874. type: string
  4875. serviceType:
  4876. description: |-
  4877. Optional service type for Kubernetes solver service. Supported values
  4878. are NodePort or ClusterIP. If unset, defaults to NodePort.
  4879. type: string
  4880. selector:
  4881. description: |-
  4882. Selector selects a set of DNSNames on the Certificate resource that
  4883. should be solved using this challenge solver.
  4884. If not specified, the solver will be treated as the 'default' solver
  4885. with the lowest priority, i.e. if any other solver has a more specific
  4886. match, it will be used instead.
  4887. type: object
  4888. properties:
  4889. dnsNames:
  4890. description: |-
  4891. List of DNSNames that this solver will be used to solve.
  4892. If specified and a match is found, a dnsNames selector will take
  4893. precedence over a dnsZones selector.
  4894. If multiple solvers match with the same dnsNames value, the solver
  4895. with the most matching labels in matchLabels will be selected.
  4896. If neither has more matches, the solver defined earlier in the list
  4897. will be selected.
  4898. type: array
  4899. items:
  4900. type: string
  4901. dnsZones:
  4902. description: |-
  4903. List of DNSZones that this solver will be used to solve.
  4904. The most specific DNS zone match specified here will take precedence
  4905. over other DNS zone matches, so a solver specifying sys.example.com
  4906. will be selected over one specifying example.com for the domain
  4907. www.sys.example.com.
  4908. If multiple solvers match with the same dnsZones value, the solver
  4909. with the most matching labels in matchLabels will be selected.
  4910. If neither has more matches, the solver defined earlier in the list
  4911. will be selected.
  4912. type: array
  4913. items:
  4914. type: string
  4915. matchLabels:
  4916. description: |-
  4917. A label selector that is used to refine the set of certificate's that
  4918. this challenge solver will apply to.
  4919. type: object
  4920. additionalProperties:
  4921. type: string
  4922. ca:
  4923. description: |-
  4924. CA configures this issuer to sign certificates using a signing CA keypair
  4925. stored in a Secret resource.
  4926. This is used to build internal PKIs that are managed by cert-manager.
  4927. type: object
  4928. required:
  4929. - secretName
  4930. properties:
  4931. crlDistributionPoints:
  4932. description: |-
  4933. The CRL distribution points is an X.509 v3 certificate extension which identifies
  4934. the location of the CRL from which the revocation of this certificate can be checked.
  4935. If not set, certificates will be issued without distribution points set.
  4936. type: array
  4937. items:
  4938. type: string
  4939. issuingCertificateURLs:
  4940. description: |-
  4941. IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates
  4942. it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details.
  4943. As an example, such a URL might be "http://ca.domain.com/ca.crt".
  4944. type: array
  4945. items:
  4946. type: string
  4947. ocspServers:
  4948. description: |-
  4949. The OCSP server list is an X.509 v3 extension that defines a list of
  4950. URLs of OCSP responders. The OCSP responders can be queried for the
  4951. revocation status of an issued certificate. If not set, the
  4952. certificate will be issued with no OCSP servers set. For example, an
  4953. OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
  4954. type: array
  4955. items:
  4956. type: string
  4957. secretName:
  4958. description: |-
  4959. SecretName is the name of the secret used to sign Certificates issued
  4960. by this Issuer.
  4961. type: string
  4962. selfSigned:
  4963. description: |-
  4964. SelfSigned configures this issuer to 'self sign' certificates using the
  4965. private key used to create the CertificateRequest object.
  4966. type: object
  4967. properties:
  4968. crlDistributionPoints:
  4969. description: |-
  4970. The CRL distribution points is an X.509 v3 certificate extension which identifies
  4971. the location of the CRL from which the revocation of this certificate can be checked.
  4972. If not set certificate will be issued without CDP. Values are strings.
  4973. type: array
  4974. items:
  4975. type: string
  4976. vault:
  4977. description: |-
  4978. Vault configures this issuer to sign certificates using a HashiCorp Vault
  4979. PKI backend.
  4980. type: object
  4981. required:
  4982. - auth
  4983. - path
  4984. - server
  4985. properties:
  4986. auth:
  4987. description: Auth configures how cert-manager authenticates with the Vault server.
  4988. type: object
  4989. properties:
  4990. appRole:
  4991. description: |-
  4992. AppRole authenticates with Vault using the App Role auth mechanism,
  4993. with the role and secret stored in a Kubernetes Secret resource.
  4994. type: object
  4995. required:
  4996. - path
  4997. - roleId
  4998. - secretRef
  4999. properties:
  5000. path:
  5001. description: |-
  5002. Path where the App Role authentication backend is mounted in Vault, e.g:
  5003. "approle"
  5004. type: string
  5005. roleId:
  5006. description: |-
  5007. RoleID configured in the App Role authentication backend when setting
  5008. up the authentication backend in Vault.
  5009. type: string
  5010. secretRef:
  5011. description: |-
  5012. Reference to a key in a Secret that contains the App Role secret used
  5013. to authenticate with Vault.
  5014. The `key` field must be specified and denotes which entry within the Secret
  5015. resource is used as the app role secret.
  5016. type: object
  5017. required:
  5018. - name
  5019. properties:
  5020. key:
  5021. description: |-
  5022. The key of the entry in the Secret resource's `data` field to be used.
  5023. Some instances of this field may be defaulted, in others it may be
  5024. required.
  5025. type: string
  5026. name:
  5027. description: |-
  5028. Name of the resource being referred to.
  5029. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  5030. type: string
  5031. kubernetes:
  5032. description: |-
  5033. Kubernetes authenticates with Vault by passing the ServiceAccount
  5034. token stored in the named Secret resource to the Vault server.
  5035. type: object
  5036. required:
  5037. - role
  5038. properties:
  5039. mountPath:
  5040. description: |-
  5041. The Vault mountPath here is the mount path to use when authenticating with
  5042. Vault. For example, setting a value to `/v1/auth/foo`, will use the path
  5043. `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
  5044. default value "/v1/auth/kubernetes" will be used.
  5045. type: string
  5046. role:
  5047. description: |-
  5048. A required field containing the Vault Role to assume. A Role binds a
  5049. Kubernetes ServiceAccount with a set of Vault policies.
  5050. type: string
  5051. secretRef:
  5052. description: |-
  5053. The required Secret field containing a Kubernetes ServiceAccount JWT used
  5054. for authenticating with Vault. Use of 'ambient credentials' is not
  5055. supported.
  5056. type: object
  5057. required:
  5058. - name
  5059. properties:
  5060. key:
  5061. description: |-
  5062. The key of the entry in the Secret resource's `data` field to be used.
  5063. Some instances of this field may be defaulted, in others it may be
  5064. required.
  5065. type: string
  5066. name:
  5067. description: |-
  5068. Name of the resource being referred to.
  5069. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  5070. type: string
  5071. serviceAccountRef:
  5072. description: |-
  5073. A reference to a service account that will be used to request a bound
  5074. token (also known as "projected token"). Compared to using "secretRef",
  5075. using this field means that you don't rely on statically bound tokens. To
  5076. use this field, you must configure an RBAC rule to let cert-manager
  5077. request a token.
  5078. type: object
  5079. required:
  5080. - name
  5081. properties:
  5082. audiences:
  5083. description: |-
  5084. TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token
  5085. consisting of the issuer's namespace and name is always included.
  5086. type: array
  5087. items:
  5088. type: string
  5089. name:
  5090. description: Name of the ServiceAccount used to request a token.
  5091. type: string
  5092. tokenSecretRef:
  5093. description: TokenSecretRef authenticates with Vault by presenting a token.
  5094. type: object
  5095. required:
  5096. - name
  5097. properties:
  5098. key:
  5099. description: |-
  5100. The key of the entry in the Secret resource's `data` field to be used.
  5101. Some instances of this field may be defaulted, in others it may be
  5102. required.
  5103. type: string
  5104. name:
  5105. description: |-
  5106. Name of the resource being referred to.
  5107. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  5108. type: string
  5109. caBundle:
  5110. description: |-
  5111. Base64-encoded bundle of PEM CAs which will be used to validate the certificate
  5112. chain presented by Vault. Only used if using HTTPS to connect to Vault and
  5113. ignored for HTTP connections.
  5114. Mutually exclusive with CABundleSecretRef.
  5115. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
  5116. the cert-manager controller container is used to validate the TLS connection.
  5117. type: string
  5118. format: byte
  5119. caBundleSecretRef:
  5120. description: |-
  5121. Reference to a Secret containing a bundle of PEM-encoded CAs to use when
  5122. verifying the certificate chain presented by Vault when using HTTPS.
  5123. Mutually exclusive with CABundle.
  5124. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
  5125. the cert-manager controller container is used to validate the TLS connection.
  5126. If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
  5127. type: object
  5128. required:
  5129. - name
  5130. properties:
  5131. key:
  5132. description: |-
  5133. The key of the entry in the Secret resource's `data` field to be used.
  5134. Some instances of this field may be defaulted, in others it may be
  5135. required.
  5136. type: string
  5137. name:
  5138. description: |-
  5139. Name of the resource being referred to.
  5140. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  5141. type: string
  5142. clientCertSecretRef:
  5143. description: |-
  5144. Reference to a Secret containing a PEM-encoded Client Certificate to use when the
  5145. Vault server requires mTLS.
  5146. type: object
  5147. required:
  5148. - name
  5149. properties:
  5150. key:
  5151. description: |-
  5152. The key of the entry in the Secret resource's `data` field to be used.
  5153. Some instances of this field may be defaulted, in others it may be
  5154. required.
  5155. type: string
  5156. name:
  5157. description: |-
  5158. Name of the resource being referred to.
  5159. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  5160. type: string
  5161. clientKeySecretRef:
  5162. description: |-
  5163. Reference to a Secret containing a PEM-encoded Client Private Key to use when the
  5164. Vault server requires mTLS.
  5165. type: object
  5166. required:
  5167. - name
  5168. properties:
  5169. key:
  5170. description: |-
  5171. The key of the entry in the Secret resource's `data` field to be used.
  5172. Some instances of this field may be defaulted, in others it may be
  5173. required.
  5174. type: string
  5175. name:
  5176. description: |-
  5177. Name of the resource being referred to.
  5178. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  5179. type: string
  5180. namespace:
  5181. description: |-
  5182. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1"
  5183. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  5184. type: string
  5185. path:
  5186. description: |-
  5187. Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:
  5188. "my_pki_mount/sign/my-role-name".
  5189. type: string
  5190. server:
  5191. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  5192. type: string
  5193. venafi:
  5194. description: |-
  5195. Venafi configures this issuer to sign certificates using a Venafi TPP
  5196. or Venafi Cloud policy zone.
  5197. type: object
  5198. required:
  5199. - zone
  5200. properties:
  5201. cloud:
  5202. description: |-
  5203. Cloud specifies the Venafi cloud configuration settings.
  5204. Only one of TPP or Cloud may be specified.
  5205. type: object
  5206. required:
  5207. - apiTokenSecretRef
  5208. properties:
  5209. apiTokenSecretRef:
  5210. description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
  5211. type: object
  5212. required:
  5213. - name
  5214. properties:
  5215. key:
  5216. description: |-
  5217. The key of the entry in the Secret resource's `data` field to be used.
  5218. Some instances of this field may be defaulted, in others it may be
  5219. required.
  5220. type: string
  5221. name:
  5222. description: |-
  5223. Name of the resource being referred to.
  5224. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  5225. type: string
  5226. url:
  5227. description: |-
  5228. URL is the base URL for Venafi Cloud.
  5229. Defaults to "https://api.venafi.cloud/v1".
  5230. type: string
  5231. tpp:
  5232. description: |-
  5233. TPP specifies Trust Protection Platform configuration settings.
  5234. Only one of TPP or Cloud may be specified.
  5235. type: object
  5236. required:
  5237. - credentialsRef
  5238. - url
  5239. properties:
  5240. caBundle:
  5241. description: |-
  5242. Base64-encoded bundle of PEM CAs which will be used to validate the certificate
  5243. chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP.
  5244. If undefined, the certificate bundle in the cert-manager controller container
  5245. is used to validate the chain.
  5246. type: string
  5247. format: byte
  5248. credentialsRef:
  5249. description: |-
  5250. CredentialsRef is a reference to a Secret containing the username and
  5251. password for the TPP server.
  5252. The secret must contain two keys, 'username' and 'password'.
  5253. type: object
  5254. required:
  5255. - name
  5256. properties:
  5257. name:
  5258. description: |-
  5259. Name of the resource being referred to.
  5260. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  5261. type: string
  5262. url:
  5263. description: |-
  5264. URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,
  5265. for example: "https://tpp.example.com/vedsdk".
  5266. type: string
  5267. zone:
  5268. description: |-
  5269. Zone is the Venafi Policy Zone to use for this issuer.
  5270. All requests made to the Venafi platform will be restricted by the named
  5271. zone policy.
  5272. This field is required.
  5273. type: string
  5274. status:
  5275. description: Status of the ClusterIssuer. This is set and managed automatically.
  5276. type: object
  5277. properties:
  5278. acme:
  5279. description: |-
  5280. ACME specific status options.
  5281. This field should only be set if the Issuer is configured to use an ACME
  5282. server to issue certificates.
  5283. type: object
  5284. properties:
  5285. lastPrivateKeyHash:
  5286. description: |-
  5287. LastPrivateKeyHash is a hash of the private key associated with the latest
  5288. registered ACME account, in order to track changes made to registered account
  5289. associated with the Issuer
  5290. type: string
  5291. lastRegisteredEmail:
  5292. description: |-
  5293. LastRegisteredEmail is the email associated with the latest registered
  5294. ACME account, in order to track changes made to registered account
  5295. associated with the Issuer
  5296. type: string
  5297. uri:
  5298. description: |-
  5299. URI is the unique account identifier, which can also be used to retrieve
  5300. account details from the CA
  5301. type: string
  5302. conditions:
  5303. description: |-
  5304. List of status conditions to indicate the status of a CertificateRequest.
  5305. Known condition types are `Ready`.
  5306. type: array
  5307. items:
  5308. description: IssuerCondition contains condition information for an Issuer.
  5309. type: object
  5310. required:
  5311. - status
  5312. - type
  5313. properties:
  5314. lastTransitionTime:
  5315. description: |-
  5316. LastTransitionTime is the timestamp corresponding to the last status
  5317. change of this condition.
  5318. type: string
  5319. format: date-time
  5320. message:
  5321. description: |-
  5322. Message is a human readable description of the details of the last
  5323. transition, complementing reason.
  5324. type: string
  5325. observedGeneration:
  5326. description: |-
  5327. If set, this represents the .metadata.generation that the condition was
  5328. set based upon.
  5329. For instance, if .metadata.generation is currently 12, but the
  5330. .status.condition[x].observedGeneration is 9, the condition is out of date
  5331. with respect to the current state of the Issuer.
  5332. type: integer
  5333. format: int64
  5334. reason:
  5335. description: |-
  5336. Reason is a brief machine readable explanation for the condition's last
  5337. transition.
  5338. type: string
  5339. status:
  5340. description: Status of the condition, one of (`True`, `False`, `Unknown`).
  5341. type: string
  5342. enum:
  5343. - "True"
  5344. - "False"
  5345. - Unknown
  5346. type:
  5347. description: Type of the condition, known values are (`Ready`).
  5348. type: string
  5349. x-kubernetes-list-map-keys:
  5350. - type
  5351. x-kubernetes-list-type: map
  5352. served: true
  5353. storage: true
  5354. # END crd
  5355. ---
  5356. # Source: cert-manager/templates/crds.yaml
  5357. # START crd
  5358. apiVersion: apiextensions.k8s.io/v1
  5359. kind: CustomResourceDefinition
  5360. metadata:
  5361. name: issuers.cert-manager.io
  5362. # START annotations
  5363. annotations:
  5364. helm.sh/resource-policy: keep
  5365. # END annotations
  5366. labels:
  5367. app: 'cert-manager'
  5368. app.kubernetes.io/name: 'cert-manager'
  5369. app.kubernetes.io/instance: 'cert-manager'
  5370. app.kubernetes.io/component: "crds"
  5371. # Generated labels
  5372. app.kubernetes.io/version: "v1.15.2"
  5373. spec:
  5374. group: cert-manager.io
  5375. names:
  5376. kind: Issuer
  5377. listKind: IssuerList
  5378. plural: issuers
  5379. singular: issuer
  5380. categories:
  5381. - cert-manager
  5382. scope: Namespaced
  5383. versions:
  5384. - name: v1
  5385. subresources:
  5386. status: {}
  5387. additionalPrinterColumns:
  5388. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  5389. name: Ready
  5390. type: string
  5391. - jsonPath: .status.conditions[?(@.type=="Ready")].message
  5392. name: Status
  5393. priority: 1
  5394. type: string
  5395. - jsonPath: .metadata.creationTimestamp
  5396. description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
  5397. name: Age
  5398. type: date
  5399. schema:
  5400. openAPIV3Schema:
  5401. description: |-
  5402. An Issuer represents a certificate issuing authority which can be
  5403. referenced as part of `issuerRef` fields.
  5404. It is scoped to a single namespace and can therefore only be referenced by
  5405. resources within the same namespace.
  5406. type: object
  5407. required:
  5408. - spec
  5409. properties:
  5410. apiVersion:
  5411. description: |-
  5412. APIVersion defines the versioned schema of this representation of an object.
  5413. Servers should convert recognized schemas to the latest internal value, and
  5414. may reject unrecognized values.
  5415. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  5416. type: string
  5417. kind:
  5418. description: |-
  5419. Kind is a string value representing the REST resource this object represents.
  5420. Servers may infer this from the endpoint the client submits requests to.
  5421. Cannot be updated.
  5422. In CamelCase.
  5423. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  5424. type: string
  5425. metadata:
  5426. type: object
  5427. spec:
  5428. description: Desired state of the Issuer resource.
  5429. type: object
  5430. properties:
  5431. acme:
  5432. description: |-
  5433. ACME configures this issuer to communicate with a RFC8555 (ACME) server
  5434. to obtain signed x509 certificates.
  5435. type: object
  5436. required:
  5437. - privateKeySecretRef
  5438. - server
  5439. properties:
  5440. caBundle:
  5441. description: |-
  5442. Base64-encoded bundle of PEM CAs which can be used to validate the certificate
  5443. chain presented by the ACME server.
  5444. Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various
  5445. kinds of security vulnerabilities.
  5446. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
  5447. the container is used to validate the TLS connection.
  5448. type: string
  5449. format: byte
  5450. disableAccountKeyGeneration:
  5451. description: |-
  5452. Enables or disables generating a new ACME account key.
  5453. If true, the Issuer resource will *not* request a new account but will expect
  5454. the account key to be supplied via an existing secret.
  5455. If false, the cert-manager system will generate a new ACME account key
  5456. for the Issuer.
  5457. Defaults to false.
  5458. type: boolean
  5459. email:
  5460. description: |-
  5461. Email is the email address to be associated with the ACME account.
  5462. This field is optional, but it is strongly recommended to be set.
  5463. It will be used to contact you in case of issues with your account or
  5464. certificates, including expiry notification emails.
  5465. This field may be updated after the account is initially registered.
  5466. type: string
  5467. enableDurationFeature:
  5468. description: |-
  5469. Enables requesting a Not After date on certificates that matches the
  5470. duration of the certificate. This is not supported by all ACME servers
  5471. like Let's Encrypt. If set to true when the ACME server does not support
  5472. it, it will create an error on the Order.
  5473. Defaults to false.
  5474. type: boolean
  5475. externalAccountBinding:
  5476. description: |-
  5477. ExternalAccountBinding is a reference to a CA external account of the ACME
  5478. server.
  5479. If set, upon registration cert-manager will attempt to associate the given
  5480. external account credentials with the registered ACME account.
  5481. type: object
  5482. required:
  5483. - keyID
  5484. - keySecretRef
  5485. properties:
  5486. keyAlgorithm:
  5487. description: |-
  5488. Deprecated: keyAlgorithm field exists for historical compatibility
  5489. reasons and should not be used. The algorithm is now hardcoded to HS256
  5490. in golang/x/crypto/acme.
  5491. type: string
  5492. enum:
  5493. - HS256
  5494. - HS384
  5495. - HS512
  5496. keyID:
  5497. description: keyID is the ID of the CA key that the External Account is bound to.
  5498. type: string
  5499. keySecretRef:
  5500. description: |-
  5501. keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes
  5502. Secret which holds the symmetric MAC key of the External Account Binding.
  5503. The `key` is the index string that is paired with the key data in the
  5504. Secret and should not be confused with the key data itself, or indeed with
  5505. the External Account Binding keyID above.
  5506. The secret key stored in the Secret **must** be un-padded, base64 URL
  5507. encoded data.
  5508. type: object
  5509. required:
  5510. - name
  5511. properties:
  5512. key:
  5513. description: |-
  5514. The key of the entry in the Secret resource's `data` field to be used.
  5515. Some instances of this field may be defaulted, in others it may be
  5516. required.
  5517. type: string
  5518. name:
  5519. description: |-
  5520. Name of the resource being referred to.
  5521. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  5522. type: string
  5523. preferredChain:
  5524. description: |-
  5525. PreferredChain is the chain to use if the ACME server outputs multiple.
  5526. PreferredChain is no guarantee that this one gets delivered by the ACME
  5527. endpoint.
  5528. For example, for Let's Encrypt's DST crosssign you would use:
  5529. "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA.
  5530. This value picks the first certificate bundle in the combined set of
  5531. ACME default and alternative chains that has a root-most certificate with
  5532. this value as its issuer's commonname.
  5533. type: string
  5534. maxLength: 64
  5535. privateKeySecretRef:
  5536. description: |-
  5537. PrivateKey is the name of a Kubernetes Secret resource that will be used to
  5538. store the automatically generated ACME account private key.
  5539. Optionally, a `key` may be specified to select a specific entry within
  5540. the named Secret resource.
  5541. If `key` is not specified, a default of `tls.key` will be used.
  5542. type: object
  5543. required:
  5544. - name
  5545. properties:
  5546. key:
  5547. description: |-
  5548. The key of the entry in the Secret resource's `data` field to be used.
  5549. Some instances of this field may be defaulted, in others it may be
  5550. required.
  5551. type: string
  5552. name:
  5553. description: |-
  5554. Name of the resource being referred to.
  5555. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  5556. type: string
  5557. server:
  5558. description: |-
  5559. Server is the URL used to access the ACME server's 'directory' endpoint.
  5560. For example, for Let's Encrypt's staging endpoint, you would use:
  5561. "https://acme-staging-v02.api.letsencrypt.org/directory".
  5562. Only ACME v2 endpoints (i.e. RFC 8555) are supported.
  5563. type: string
  5564. skipTLSVerify:
  5565. description: |-
  5566. INSECURE: Enables or disables validation of the ACME server TLS certificate.
  5567. If true, requests to the ACME server will not have the TLS certificate chain
  5568. validated.
  5569. Mutually exclusive with CABundle; prefer using CABundle to prevent various
  5570. kinds of security vulnerabilities.
  5571. Only enable this option in development environments.
  5572. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
  5573. the container is used to validate the TLS connection.
  5574. Defaults to false.
  5575. type: boolean
  5576. solvers:
  5577. description: |-
  5578. Solvers is a list of challenge solvers that will be used to solve
  5579. ACME challenges for the matching domains.
  5580. Solver configurations must be provided in order to obtain certificates
  5581. from an ACME server.
  5582. For more information, see: https://cert-manager.io/docs/configuration/acme/
  5583. type: array
  5584. items:
  5585. description: |-
  5586. An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of.
  5587. A selector may be provided to use different solving strategies for different DNS names.
  5588. Only one of HTTP01 or DNS01 must be provided.
  5589. type: object
  5590. properties:
  5591. dns01:
  5592. description: |-
  5593. Configures cert-manager to attempt to complete authorizations by
  5594. performing the DNS01 challenge flow.
  5595. type: object
  5596. properties:
  5597. acmeDNS:
  5598. description: |-
  5599. Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
  5600. DNS01 challenge records.
  5601. type: object
  5602. required:
  5603. - accountSecretRef
  5604. - host
  5605. properties:
  5606. accountSecretRef:
  5607. description: |-
  5608. A reference to a specific 'key' within a Secret resource.
  5609. In some instances, `key` is a required field.
  5610. type: object
  5611. required:
  5612. - name
  5613. properties:
  5614. key:
  5615. description: |-
  5616. The key of the entry in the Secret resource's `data` field to be used.
  5617. Some instances of this field may be defaulted, in others it may be
  5618. required.
  5619. type: string
  5620. name:
  5621. description: |-
  5622. Name of the resource being referred to.
  5623. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  5624. type: string
  5625. host:
  5626. type: string
  5627. akamai:
  5628. description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
  5629. type: object
  5630. required:
  5631. - accessTokenSecretRef
  5632. - clientSecretSecretRef
  5633. - clientTokenSecretRef
  5634. - serviceConsumerDomain
  5635. properties:
  5636. accessTokenSecretRef:
  5637. description: |-
  5638. A reference to a specific 'key' within a Secret resource.
  5639. In some instances, `key` is a required field.
  5640. type: object
  5641. required:
  5642. - name
  5643. properties:
  5644. key:
  5645. description: |-
  5646. The key of the entry in the Secret resource's `data` field to be used.
  5647. Some instances of this field may be defaulted, in others it may be
  5648. required.
  5649. type: string
  5650. name:
  5651. description: |-
  5652. Name of the resource being referred to.
  5653. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  5654. type: string
  5655. clientSecretSecretRef:
  5656. description: |-
  5657. A reference to a specific 'key' within a Secret resource.
  5658. In some instances, `key` is a required field.
  5659. type: object
  5660. required:
  5661. - name
  5662. properties:
  5663. key:
  5664. description: |-
  5665. The key of the entry in the Secret resource's `data` field to be used.
  5666. Some instances of this field may be defaulted, in others it may be
  5667. required.
  5668. type: string
  5669. name:
  5670. description: |-
  5671. Name of the resource being referred to.
  5672. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  5673. type: string
  5674. clientTokenSecretRef:
  5675. description: |-
  5676. A reference to a specific 'key' within a Secret resource.
  5677. In some instances, `key` is a required field.
  5678. type: object
  5679. required:
  5680. - name
  5681. properties:
  5682. key:
  5683. description: |-
  5684. The key of the entry in the Secret resource's `data` field to be used.
  5685. Some instances of this field may be defaulted, in others it may be
  5686. required.
  5687. type: string
  5688. name:
  5689. description: |-
  5690. Name of the resource being referred to.
  5691. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  5692. type: string
  5693. serviceConsumerDomain:
  5694. type: string
  5695. azureDNS:
  5696. description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
  5697. type: object
  5698. required:
  5699. - resourceGroupName
  5700. - subscriptionID
  5701. properties:
  5702. clientID:
  5703. description: |-
  5704. Auth: Azure Service Principal:
  5705. The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
  5706. If set, ClientSecret and TenantID must also be set.
  5707. type: string
  5708. clientSecretSecretRef:
  5709. description: |-
  5710. Auth: Azure Service Principal:
  5711. A reference to a Secret containing the password associated with the Service Principal.
  5712. If set, ClientID and TenantID must also be set.
  5713. type: object
  5714. required:
  5715. - name
  5716. properties:
  5717. key:
  5718. description: |-
  5719. The key of the entry in the Secret resource's `data` field to be used.
  5720. Some instances of this field may be defaulted, in others it may be
  5721. required.
  5722. type: string
  5723. name:
  5724. description: |-
  5725. Name of the resource being referred to.
  5726. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  5727. type: string
  5728. environment:
  5729. description: name of the Azure environment (default AzurePublicCloud)
  5730. type: string
  5731. enum:
  5732. - AzurePublicCloud
  5733. - AzureChinaCloud
  5734. - AzureGermanCloud
  5735. - AzureUSGovernmentCloud
  5736. hostedZoneName:
  5737. description: name of the DNS zone that should be used
  5738. type: string
  5739. managedIdentity:
  5740. description: |-
  5741. Auth: Azure Workload Identity or Azure Managed Service Identity:
  5742. Settings to enable Azure Workload Identity or Azure Managed Service Identity
  5743. If set, ClientID, ClientSecret and TenantID must not be set.
  5744. type: object
  5745. properties:
  5746. clientID:
  5747. description: client ID of the managed identity, can not be used at the same time as resourceID
  5748. type: string
  5749. resourceID:
  5750. description: |-
  5751. resource ID of the managed identity, can not be used at the same time as clientID
  5752. Cannot be used for Azure Managed Service Identity
  5753. type: string
  5754. resourceGroupName:
  5755. description: resource group the DNS zone is located in
  5756. type: string
  5757. subscriptionID:
  5758. description: ID of the Azure subscription
  5759. type: string
  5760. tenantID:
  5761. description: |-
  5762. Auth: Azure Service Principal:
  5763. The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
  5764. If set, ClientID and ClientSecret must also be set.
  5765. type: string
  5766. cloudDNS:
  5767. description: Use the Google Cloud DNS API to manage DNS01 challenge records.
  5768. type: object
  5769. required:
  5770. - project
  5771. properties:
  5772. hostedZoneName:
  5773. description: |-
  5774. HostedZoneName is an optional field that tells cert-manager in which
  5775. Cloud DNS zone the challenge record has to be created.
  5776. If left empty cert-manager will automatically choose a zone.
  5777. type: string
  5778. project:
  5779. type: string
  5780. serviceAccountSecretRef:
  5781. description: |-
  5782. A reference to a specific 'key' within a Secret resource.
  5783. In some instances, `key` is a required field.
  5784. type: object
  5785. required:
  5786. - name
  5787. properties:
  5788. key:
  5789. description: |-
  5790. The key of the entry in the Secret resource's `data` field to be used.
  5791. Some instances of this field may be defaulted, in others it may be
  5792. required.
  5793. type: string
  5794. name:
  5795. description: |-
  5796. Name of the resource being referred to.
  5797. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  5798. type: string
  5799. cloudflare:
  5800. description: Use the Cloudflare API to manage DNS01 challenge records.
  5801. type: object
  5802. properties:
  5803. apiKeySecretRef:
  5804. description: |-
  5805. API key to use to authenticate with Cloudflare.
  5806. Note: using an API token to authenticate is now the recommended method
  5807. as it allows greater control of permissions.
  5808. type: object
  5809. required:
  5810. - name
  5811. properties:
  5812. key:
  5813. description: |-
  5814. The key of the entry in the Secret resource's `data` field to be used.
  5815. Some instances of this field may be defaulted, in others it may be
  5816. required.
  5817. type: string
  5818. name:
  5819. description: |-
  5820. Name of the resource being referred to.
  5821. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  5822. type: string
  5823. apiTokenSecretRef:
  5824. description: API token used to authenticate with Cloudflare.
  5825. type: object
  5826. required:
  5827. - name
  5828. properties:
  5829. key:
  5830. description: |-
  5831. The key of the entry in the Secret resource's `data` field to be used.
  5832. Some instances of this field may be defaulted, in others it may be
  5833. required.
  5834. type: string
  5835. name:
  5836. description: |-
  5837. Name of the resource being referred to.
  5838. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  5839. type: string
  5840. email:
  5841. description: Email of the account, only required when using API key based authentication.
  5842. type: string
  5843. cnameStrategy:
  5844. description: |-
  5845. CNAMEStrategy configures how the DNS01 provider should handle CNAME
  5846. records when found in DNS zones.
  5847. type: string
  5848. enum:
  5849. - None
  5850. - Follow
  5851. digitalocean:
  5852. description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
  5853. type: object
  5854. required:
  5855. - tokenSecretRef
  5856. properties:
  5857. tokenSecretRef:
  5858. description: |-
  5859. A reference to a specific 'key' within a Secret resource.
  5860. In some instances, `key` is a required field.
  5861. type: object
  5862. required:
  5863. - name
  5864. properties:
  5865. key:
  5866. description: |-
  5867. The key of the entry in the Secret resource's `data` field to be used.
  5868. Some instances of this field may be defaulted, in others it may be
  5869. required.
  5870. type: string
  5871. name:
  5872. description: |-
  5873. Name of the resource being referred to.
  5874. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  5875. type: string
  5876. rfc2136:
  5877. description: |-
  5878. Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
  5879. to manage DNS01 challenge records.
  5880. type: object
  5881. required:
  5882. - nameserver
  5883. properties:
  5884. nameserver:
  5885. description: |-
  5886. The IP address or hostname of an authoritative DNS server supporting
  5887. RFC2136 in the form host:port. If the host is an IPv6 address it must be
  5888. enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
  5889. This field is required.
  5890. type: string
  5891. tsigAlgorithm:
  5892. description: |-
  5893. The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
  5894. when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
  5895. Supported values are (case-insensitive): ``HMACMD5`` (default),
  5896. ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
  5897. type: string
  5898. tsigKeyName:
  5899. description: |-
  5900. The TSIG Key name configured in the DNS.
  5901. If ``tsigSecretSecretRef`` is defined, this field is required.
  5902. type: string
  5903. tsigSecretSecretRef:
  5904. description: |-
  5905. The name of the secret containing the TSIG value.
  5906. If ``tsigKeyName`` is defined, this field is required.
  5907. type: object
  5908. required:
  5909. - name
  5910. properties:
  5911. key:
  5912. description: |-
  5913. The key of the entry in the Secret resource's `data` field to be used.
  5914. Some instances of this field may be defaulted, in others it may be
  5915. required.
  5916. type: string
  5917. name:
  5918. description: |-
  5919. Name of the resource being referred to.
  5920. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  5921. type: string
  5922. route53:
  5923. description: Use the AWS Route53 API to manage DNS01 challenge records.
  5924. type: object
  5925. required:
  5926. - region
  5927. properties:
  5928. accessKeyID:
  5929. description: |-
  5930. The AccessKeyID is used for authentication.
  5931. Cannot be set when SecretAccessKeyID is set.
  5932. If neither the Access Key nor Key ID are set, we fall-back to using env
  5933. vars, shared credentials file or AWS Instance metadata,
  5934. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  5935. type: string
  5936. accessKeyIDSecretRef:
  5937. description: |-
  5938. The SecretAccessKey is used for authentication. If set, pull the AWS
  5939. access key ID from a key within a Kubernetes Secret.
  5940. Cannot be set when AccessKeyID is set.
  5941. If neither the Access Key nor Key ID are set, we fall-back to using env
  5942. vars, shared credentials file or AWS Instance metadata,
  5943. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  5944. type: object
  5945. required:
  5946. - name
  5947. properties:
  5948. key:
  5949. description: |-
  5950. The key of the entry in the Secret resource's `data` field to be used.
  5951. Some instances of this field may be defaulted, in others it may be
  5952. required.
  5953. type: string
  5954. name:
  5955. description: |-
  5956. Name of the resource being referred to.
  5957. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  5958. type: string
  5959. auth:
  5960. description: Auth configures how cert-manager authenticates.
  5961. type: object
  5962. required:
  5963. - kubernetes
  5964. properties:
  5965. kubernetes:
  5966. description: |-
  5967. Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
  5968. by passing a bound ServiceAccount token.
  5969. type: object
  5970. required:
  5971. - serviceAccountRef
  5972. properties:
  5973. serviceAccountRef:
  5974. description: |-
  5975. A reference to a service account that will be used to request a bound
  5976. token (also known as "projected token"). To use this field, you must
  5977. configure an RBAC rule to let cert-manager request a token.
  5978. type: object
  5979. required:
  5980. - name
  5981. properties:
  5982. audiences:
  5983. description: |-
  5984. TokenAudiences is an optional list of audiences to include in the
  5985. token passed to AWS. The default token consisting of the issuer's namespace
  5986. and name is always included.
  5987. If unset the audience defaults to `sts.amazonaws.com`.
  5988. type: array
  5989. items:
  5990. type: string
  5991. name:
  5992. description: Name of the ServiceAccount used to request a token.
  5993. type: string
  5994. hostedZoneID:
  5995. description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
  5996. type: string
  5997. region:
  5998. description: Always set the region when using AccessKeyID and SecretAccessKey
  5999. type: string
  6000. role:
  6001. description: |-
  6002. Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
  6003. or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
  6004. type: string
  6005. secretAccessKeySecretRef:
  6006. description: |-
  6007. The SecretAccessKey is used for authentication.
  6008. If neither the Access Key nor Key ID are set, we fall-back to using env
  6009. vars, shared credentials file or AWS Instance metadata,
  6010. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  6011. type: object
  6012. required:
  6013. - name
  6014. properties:
  6015. key:
  6016. description: |-
  6017. The key of the entry in the Secret resource's `data` field to be used.
  6018. Some instances of this field may be defaulted, in others it may be
  6019. required.
  6020. type: string
  6021. name:
  6022. description: |-
  6023. Name of the resource being referred to.
  6024. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  6025. type: string
  6026. webhook:
  6027. description: |-
  6028. Configure an external webhook based DNS01 challenge solver to manage
  6029. DNS01 challenge records.
  6030. type: object
  6031. required:
  6032. - groupName
  6033. - solverName
  6034. properties:
  6035. config:
  6036. description: |-
  6037. Additional configuration that should be passed to the webhook apiserver
  6038. when challenges are processed.
  6039. This can contain arbitrary JSON data.
  6040. Secret values should not be specified in this stanza.
  6041. If secret values are needed (e.g. credentials for a DNS service), you
  6042. should use a SecretKeySelector to reference a Secret resource.
  6043. For details on the schema of this field, consult the webhook provider
  6044. implementation's documentation.
  6045. x-kubernetes-preserve-unknown-fields: true
  6046. groupName:
  6047. description: |-
  6048. The API group name that should be used when POSTing ChallengePayload
  6049. resources to the webhook apiserver.
  6050. This should be the same as the GroupName specified in the webhook
  6051. provider implementation.
  6052. type: string
  6053. solverName:
  6054. description: |-
  6055. The name of the solver to use, as defined in the webhook provider
  6056. implementation.
  6057. This will typically be the name of the provider, e.g. 'cloudflare'.
  6058. type: string
  6059. http01:
  6060. description: |-
  6061. Configures cert-manager to attempt to complete authorizations by
  6062. performing the HTTP01 challenge flow.
  6063. It is not possible to obtain certificates for wildcard domain names
  6064. (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
  6065. type: object
  6066. properties:
  6067. gatewayHTTPRoute:
  6068. description: |-
  6069. The Gateway API is a sig-network community API that models service networking
  6070. in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
  6071. create HTTPRoutes with the specified labels in the same namespace as the challenge.
  6072. This solver is experimental, and fields / behaviour may change in the future.
  6073. type: object
  6074. properties:
  6075. labels:
  6076. description: |-
  6077. Custom labels that will be applied to HTTPRoutes created by cert-manager
  6078. while solving HTTP-01 challenges.
  6079. type: object
  6080. additionalProperties:
  6081. type: string
  6082. parentRefs:
  6083. description: |-
  6084. When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
  6085. cert-manager needs to know which parentRefs should be used when creating
  6086. the HTTPRoute. Usually, the parentRef references a Gateway. See:
  6087. https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
  6088. type: array
  6089. items:
  6090. description: |-
  6091. ParentReference identifies an API object (usually a Gateway) that can be considered
  6092. a parent of this resource (usually a route). There are two kinds of parent resources
  6093. with "Core" support:
  6094. * Gateway (Gateway conformance profile)
  6095. * Service (Mesh conformance profile, ClusterIP Services only)
  6096. This API may be extended in the future to support additional kinds of parent
  6097. resources.
  6098. The API object must be valid in the cluster; the Group and Kind must
  6099. be registered in the cluster for this reference to be valid.
  6100. type: object
  6101. required:
  6102. - name
  6103. properties:
  6104. group:
  6105. description: |-
  6106. Group is the group of the referent.
  6107. When unspecified, "gateway.networking.k8s.io" is inferred.
  6108. To set the core API group (such as for a "Service" kind referent),
  6109. Group must be explicitly set to "" (empty string).
  6110. Support: Core
  6111. type: string
  6112. default: gateway.networking.k8s.io
  6113. maxLength: 253
  6114. pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6115. kind:
  6116. description: |-
  6117. Kind is kind of the referent.
  6118. There are two kinds of parent resources with "Core" support:
  6119. * Gateway (Gateway conformance profile)
  6120. * Service (Mesh conformance profile, ClusterIP Services only)
  6121. Support for other resources is Implementation-Specific.
  6122. type: string
  6123. default: Gateway
  6124. maxLength: 63
  6125. minLength: 1
  6126. pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
  6127. name:
  6128. description: |-
  6129. Name is the name of the referent.
  6130. Support: Core
  6131. type: string
  6132. maxLength: 253
  6133. minLength: 1
  6134. namespace:
  6135. description: |-
  6136. Namespace is the namespace of the referent. When unspecified, this refers
  6137. to the local namespace of the Route.
  6138. Note that there are specific rules for ParentRefs which cross namespace
  6139. boundaries. Cross-namespace references are only valid if they are explicitly
  6140. allowed by something in the namespace they are referring to. For example:
  6141. Gateway has the AllowedRoutes field, and ReferenceGrant provides a
  6142. generic way to enable any other kind of cross-namespace reference.
  6143. <gateway:experimental:description>
  6144. ParentRefs from a Route to a Service in the same namespace are "producer"
  6145. routes, which apply default routing rules to inbound connections from
  6146. any namespace to the Service.
  6147. ParentRefs from a Route to a Service in a different namespace are
  6148. "consumer" routes, and these routing rules are only applied to outbound
  6149. connections originating from the same namespace as the Route, for which
  6150. the intended destination of the connections are a Service targeted as a
  6151. ParentRef of the Route.
  6152. </gateway:experimental:description>
  6153. Support: Core
  6154. type: string
  6155. maxLength: 63
  6156. minLength: 1
  6157. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6158. port:
  6159. description: |-
  6160. Port is the network port this Route targets. It can be interpreted
  6161. differently based on the type of parent resource.
  6162. When the parent resource is a Gateway, this targets all listeners
  6163. listening on the specified port that also support this kind of Route(and
  6164. select this Route). It's not recommended to set `Port` unless the
  6165. networking behaviors specified in a Route must apply to a specific port
  6166. as opposed to a listener(s) whose port(s) may be changed. When both Port
  6167. and SectionName are specified, the name and port of the selected listener
  6168. must match both specified values.
  6169. <gateway:experimental:description>
  6170. When the parent resource is a Service, this targets a specific port in the
  6171. Service spec. When both Port (experimental) and SectionName are specified,
  6172. the name and port of the selected port must match both specified values.
  6173. </gateway:experimental:description>
  6174. Implementations MAY choose to support other parent resources.
  6175. Implementations supporting other types of parent resources MUST clearly
  6176. document how/if Port is interpreted.
  6177. For the purpose of status, an attachment is considered successful as
  6178. long as the parent resource accepts it partially. For example, Gateway
  6179. listeners can restrict which Routes can attach to them by Route kind,
  6180. namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
  6181. from the referencing Route, the Route MUST be considered successfully
  6182. attached. If no Gateway listeners accept attachment from this Route,
  6183. the Route MUST be considered detached from the Gateway.
  6184. Support: Extended
  6185. type: integer
  6186. format: int32
  6187. maximum: 65535
  6188. minimum: 1
  6189. sectionName:
  6190. description: |-
  6191. SectionName is the name of a section within the target resource. In the
  6192. following resources, SectionName is interpreted as the following:
  6193. * Gateway: Listener name. When both Port (experimental) and SectionName
  6194. are specified, the name and port of the selected listener must match
  6195. both specified values.
  6196. * Service: Port name. When both Port (experimental) and SectionName
  6197. are specified, the name and port of the selected listener must match
  6198. both specified values.
  6199. Implementations MAY choose to support attaching Routes to other resources.
  6200. If that is the case, they MUST clearly document how SectionName is
  6201. interpreted.
  6202. When unspecified (empty string), this will reference the entire resource.
  6203. For the purpose of status, an attachment is considered successful if at
  6204. least one section in the parent resource accepts it. For example, Gateway
  6205. listeners can restrict which Routes can attach to them by Route kind,
  6206. namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
  6207. the referencing Route, the Route MUST be considered successfully
  6208. attached. If no Gateway listeners accept attachment from this Route, the
  6209. Route MUST be considered detached from the Gateway.
  6210. Support: Core
  6211. type: string
  6212. maxLength: 253
  6213. minLength: 1
  6214. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6215. serviceType:
  6216. description: |-
  6217. Optional service type for Kubernetes solver service. Supported values
  6218. are NodePort or ClusterIP. If unset, defaults to NodePort.
  6219. type: string
  6220. ingress:
  6221. description: |-
  6222. The ingress based HTTP01 challenge solver will solve challenges by
  6223. creating or modifying Ingress resources in order to route requests for
  6224. '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
  6225. provisioned by cert-manager for each Challenge to be completed.
  6226. type: object
  6227. properties:
  6228. class:
  6229. description: |-
  6230. This field configures the annotation `kubernetes.io/ingress.class` when
  6231. creating Ingress resources to solve ACME challenges that use this
  6232. challenge solver. Only one of `class`, `name` or `ingressClassName` may
  6233. be specified.
  6234. type: string
  6235. ingressClassName:
  6236. description: |-
  6237. This field configures the field `ingressClassName` on the created Ingress
  6238. resources used to solve ACME challenges that use this challenge solver.
  6239. This is the recommended way of configuring the ingress class. Only one of
  6240. `class`, `name` or `ingressClassName` may be specified.
  6241. type: string
  6242. ingressTemplate:
  6243. description: |-
  6244. Optional ingress template used to configure the ACME challenge solver
  6245. ingress used for HTTP01 challenges.
  6246. type: object
  6247. properties:
  6248. metadata:
  6249. description: |-
  6250. ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
  6251. Only the 'labels' and 'annotations' fields may be set.
  6252. If labels or annotations overlap with in-built values, the values here
  6253. will override the in-built values.
  6254. type: object
  6255. properties:
  6256. annotations:
  6257. description: Annotations that should be added to the created ACME HTTP01 solver ingress.
  6258. type: object
  6259. additionalProperties:
  6260. type: string
  6261. labels:
  6262. description: Labels that should be added to the created ACME HTTP01 solver ingress.
  6263. type: object
  6264. additionalProperties:
  6265. type: string
  6266. name:
  6267. description: |-
  6268. The name of the ingress resource that should have ACME challenge solving
  6269. routes inserted into it in order to solve HTTP01 challenges.
  6270. This is typically used in conjunction with ingress controllers like
  6271. ingress-gce, which maintains a 1:1 mapping between external IPs and
  6272. ingress resources. Only one of `class`, `name` or `ingressClassName` may
  6273. be specified.
  6274. type: string
  6275. podTemplate:
  6276. description: |-
  6277. Optional pod template used to configure the ACME challenge solver pods
  6278. used for HTTP01 challenges.
  6279. type: object
  6280. properties:
  6281. metadata:
  6282. description: |-
  6283. ObjectMeta overrides for the pod used to solve HTTP01 challenges.
  6284. Only the 'labels' and 'annotations' fields may be set.
  6285. If labels or annotations overlap with in-built values, the values here
  6286. will override the in-built values.
  6287. type: object
  6288. properties:
  6289. annotations:
  6290. description: Annotations that should be added to the create ACME HTTP01 solver pods.
  6291. type: object
  6292. additionalProperties:
  6293. type: string
  6294. labels:
  6295. description: Labels that should be added to the created ACME HTTP01 solver pods.
  6296. type: object
  6297. additionalProperties:
  6298. type: string
  6299. spec:
  6300. description: |-
  6301. PodSpec defines overrides for the HTTP01 challenge solver pod.
  6302. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
  6303. All other fields will be ignored.
  6304. type: object
  6305. properties:
  6306. affinity:
  6307. description: If specified, the pod's scheduling constraints
  6308. type: object
  6309. properties:
  6310. nodeAffinity:
  6311. description: Describes node affinity scheduling rules for the pod.
  6312. type: object
  6313. properties:
  6314. preferredDuringSchedulingIgnoredDuringExecution:
  6315. description: |-
  6316. The scheduler will prefer to schedule pods to nodes that satisfy
  6317. the affinity expressions specified by this field, but it may choose
  6318. a node that violates one or more of the expressions. The node that is
  6319. most preferred is the one with the greatest sum of weights, i.e.
  6320. for each node that meets all of the scheduling requirements (resource
  6321. request, requiredDuringScheduling affinity expressions, etc.),
  6322. compute a sum by iterating through the elements of this field and adding
  6323. "weight" to the sum if the node matches the corresponding matchExpressions; the
  6324. node(s) with the highest sum are the most preferred.
  6325. type: array
  6326. items:
  6327. description: |-
  6328. An empty preferred scheduling term matches all objects with implicit weight 0
  6329. (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
  6330. type: object
  6331. required:
  6332. - preference
  6333. - weight
  6334. properties:
  6335. preference:
  6336. description: A node selector term, associated with the corresponding weight.
  6337. type: object
  6338. properties:
  6339. matchExpressions:
  6340. description: A list of node selector requirements by node's labels.
  6341. type: array
  6342. items:
  6343. description: |-
  6344. A node selector requirement is a selector that contains values, a key, and an operator
  6345. that relates the key and values.
  6346. type: object
  6347. required:
  6348. - key
  6349. - operator
  6350. properties:
  6351. key:
  6352. description: The label key that the selector applies to.
  6353. type: string
  6354. operator:
  6355. description: |-
  6356. Represents a key's relationship to a set of values.
  6357. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
  6358. type: string
  6359. values:
  6360. description: |-
  6361. An array of string values. If the operator is In or NotIn,
  6362. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  6363. the values array must be empty. If the operator is Gt or Lt, the values
  6364. array must have a single element, which will be interpreted as an integer.
  6365. This array is replaced during a strategic merge patch.
  6366. type: array
  6367. items:
  6368. type: string
  6369. x-kubernetes-list-type: atomic
  6370. x-kubernetes-list-type: atomic
  6371. matchFields:
  6372. description: A list of node selector requirements by node's fields.
  6373. type: array
  6374. items:
  6375. description: |-
  6376. A node selector requirement is a selector that contains values, a key, and an operator
  6377. that relates the key and values.
  6378. type: object
  6379. required:
  6380. - key
  6381. - operator
  6382. properties:
  6383. key:
  6384. description: The label key that the selector applies to.
  6385. type: string
  6386. operator:
  6387. description: |-
  6388. Represents a key's relationship to a set of values.
  6389. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
  6390. type: string
  6391. values:
  6392. description: |-
  6393. An array of string values. If the operator is In or NotIn,
  6394. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  6395. the values array must be empty. If the operator is Gt or Lt, the values
  6396. array must have a single element, which will be interpreted as an integer.
  6397. This array is replaced during a strategic merge patch.
  6398. type: array
  6399. items:
  6400. type: string
  6401. x-kubernetes-list-type: atomic
  6402. x-kubernetes-list-type: atomic
  6403. x-kubernetes-map-type: atomic
  6404. weight:
  6405. description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
  6406. type: integer
  6407. format: int32
  6408. x-kubernetes-list-type: atomic
  6409. requiredDuringSchedulingIgnoredDuringExecution:
  6410. description: |-
  6411. If the affinity requirements specified by this field are not met at
  6412. scheduling time, the pod will not be scheduled onto the node.
  6413. If the affinity requirements specified by this field cease to be met
  6414. at some point during pod execution (e.g. due to an update), the system
  6415. may or may not try to eventually evict the pod from its node.
  6416. type: object
  6417. required:
  6418. - nodeSelectorTerms
  6419. properties:
  6420. nodeSelectorTerms:
  6421. description: Required. A list of node selector terms. The terms are ORed.
  6422. type: array
  6423. items:
  6424. description: |-
  6425. A null or empty node selector term matches no objects. The requirements of
  6426. them are ANDed.
  6427. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
  6428. type: object
  6429. properties:
  6430. matchExpressions:
  6431. description: A list of node selector requirements by node's labels.
  6432. type: array
  6433. items:
  6434. description: |-
  6435. A node selector requirement is a selector that contains values, a key, and an operator
  6436. that relates the key and values.
  6437. type: object
  6438. required:
  6439. - key
  6440. - operator
  6441. properties:
  6442. key:
  6443. description: The label key that the selector applies to.
  6444. type: string
  6445. operator:
  6446. description: |-
  6447. Represents a key's relationship to a set of values.
  6448. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
  6449. type: string
  6450. values:
  6451. description: |-
  6452. An array of string values. If the operator is In or NotIn,
  6453. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  6454. the values array must be empty. If the operator is Gt or Lt, the values
  6455. array must have a single element, which will be interpreted as an integer.
  6456. This array is replaced during a strategic merge patch.
  6457. type: array
  6458. items:
  6459. type: string
  6460. x-kubernetes-list-type: atomic
  6461. x-kubernetes-list-type: atomic
  6462. matchFields:
  6463. description: A list of node selector requirements by node's fields.
  6464. type: array
  6465. items:
  6466. description: |-
  6467. A node selector requirement is a selector that contains values, a key, and an operator
  6468. that relates the key and values.
  6469. type: object
  6470. required:
  6471. - key
  6472. - operator
  6473. properties:
  6474. key:
  6475. description: The label key that the selector applies to.
  6476. type: string
  6477. operator:
  6478. description: |-
  6479. Represents a key's relationship to a set of values.
  6480. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
  6481. type: string
  6482. values:
  6483. description: |-
  6484. An array of string values. If the operator is In or NotIn,
  6485. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  6486. the values array must be empty. If the operator is Gt or Lt, the values
  6487. array must have a single element, which will be interpreted as an integer.
  6488. This array is replaced during a strategic merge patch.
  6489. type: array
  6490. items:
  6491. type: string
  6492. x-kubernetes-list-type: atomic
  6493. x-kubernetes-list-type: atomic
  6494. x-kubernetes-map-type: atomic
  6495. x-kubernetes-list-type: atomic
  6496. x-kubernetes-map-type: atomic
  6497. podAffinity:
  6498. description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
  6499. type: object
  6500. properties:
  6501. preferredDuringSchedulingIgnoredDuringExecution:
  6502. description: |-
  6503. The scheduler will prefer to schedule pods to nodes that satisfy
  6504. the affinity expressions specified by this field, but it may choose
  6505. a node that violates one or more of the expressions. The node that is
  6506. most preferred is the one with the greatest sum of weights, i.e.
  6507. for each node that meets all of the scheduling requirements (resource
  6508. request, requiredDuringScheduling affinity expressions, etc.),
  6509. compute a sum by iterating through the elements of this field and adding
  6510. "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
  6511. node(s) with the highest sum are the most preferred.
  6512. type: array
  6513. items:
  6514. description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
  6515. type: object
  6516. required:
  6517. - podAffinityTerm
  6518. - weight
  6519. properties:
  6520. podAffinityTerm:
  6521. description: Required. A pod affinity term, associated with the corresponding weight.
  6522. type: object
  6523. required:
  6524. - topologyKey
  6525. properties:
  6526. labelSelector:
  6527. description: |-
  6528. A label query over a set of resources, in this case pods.
  6529. If it's null, this PodAffinityTerm matches with no Pods.
  6530. type: object
  6531. properties:
  6532. matchExpressions:
  6533. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  6534. type: array
  6535. items:
  6536. description: |-
  6537. A label selector requirement is a selector that contains values, a key, and an operator that
  6538. relates the key and values.
  6539. type: object
  6540. required:
  6541. - key
  6542. - operator
  6543. properties:
  6544. key:
  6545. description: key is the label key that the selector applies to.
  6546. type: string
  6547. operator:
  6548. description: |-
  6549. operator represents a key's relationship to a set of values.
  6550. Valid operators are In, NotIn, Exists and DoesNotExist.
  6551. type: string
  6552. values:
  6553. description: |-
  6554. values is an array of string values. If the operator is In or NotIn,
  6555. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  6556. the values array must be empty. This array is replaced during a strategic
  6557. merge patch.
  6558. type: array
  6559. items:
  6560. type: string
  6561. x-kubernetes-list-type: atomic
  6562. x-kubernetes-list-type: atomic
  6563. matchLabels:
  6564. description: |-
  6565. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  6566. map is equivalent to an element of matchExpressions, whose key field is "key", the
  6567. operator is "In", and the values array contains only "value". The requirements are ANDed.
  6568. type: object
  6569. additionalProperties:
  6570. type: string
  6571. x-kubernetes-map-type: atomic
  6572. matchLabelKeys:
  6573. description: |-
  6574. MatchLabelKeys is a set of pod label keys to select which pods will
  6575. be taken into consideration. The keys are used to lookup values from the
  6576. incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
  6577. to select the group of existing pods which pods will be taken into consideration
  6578. for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
  6579. pod labels will be ignored. The default value is empty.
  6580. The same key is forbidden to exist in both matchLabelKeys and labelSelector.
  6581. Also, matchLabelKeys cannot be set when labelSelector isn't set.
  6582. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
  6583. type: array
  6584. items:
  6585. type: string
  6586. x-kubernetes-list-type: atomic
  6587. mismatchLabelKeys:
  6588. description: |-
  6589. MismatchLabelKeys is a set of pod label keys to select which pods will
  6590. be taken into consideration. The keys are used to lookup values from the
  6591. incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
  6592. to select the group of existing pods which pods will be taken into consideration
  6593. for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
  6594. pod labels will be ignored. The default value is empty.
  6595. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
  6596. Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
  6597. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
  6598. type: array
  6599. items:
  6600. type: string
  6601. x-kubernetes-list-type: atomic
  6602. namespaceSelector:
  6603. description: |-
  6604. A label query over the set of namespaces that the term applies to.
  6605. The term is applied to the union of the namespaces selected by this field
  6606. and the ones listed in the namespaces field.
  6607. null selector and null or empty namespaces list means "this pod's namespace".
  6608. An empty selector ({}) matches all namespaces.
  6609. type: object
  6610. properties:
  6611. matchExpressions:
  6612. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  6613. type: array
  6614. items:
  6615. description: |-
  6616. A label selector requirement is a selector that contains values, a key, and an operator that
  6617. relates the key and values.
  6618. type: object
  6619. required:
  6620. - key
  6621. - operator
  6622. properties:
  6623. key:
  6624. description: key is the label key that the selector applies to.
  6625. type: string
  6626. operator:
  6627. description: |-
  6628. operator represents a key's relationship to a set of values.
  6629. Valid operators are In, NotIn, Exists and DoesNotExist.
  6630. type: string
  6631. values:
  6632. description: |-
  6633. values is an array of string values. If the operator is In or NotIn,
  6634. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  6635. the values array must be empty. This array is replaced during a strategic
  6636. merge patch.
  6637. type: array
  6638. items:
  6639. type: string
  6640. x-kubernetes-list-type: atomic
  6641. x-kubernetes-list-type: atomic
  6642. matchLabels:
  6643. description: |-
  6644. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  6645. map is equivalent to an element of matchExpressions, whose key field is "key", the
  6646. operator is "In", and the values array contains only "value". The requirements are ANDed.
  6647. type: object
  6648. additionalProperties:
  6649. type: string
  6650. x-kubernetes-map-type: atomic
  6651. namespaces:
  6652. description: |-
  6653. namespaces specifies a static list of namespace names that the term applies to.
  6654. The term is applied to the union of the namespaces listed in this field
  6655. and the ones selected by namespaceSelector.
  6656. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
  6657. type: array
  6658. items:
  6659. type: string
  6660. x-kubernetes-list-type: atomic
  6661. topologyKey:
  6662. description: |-
  6663. This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
  6664. the labelSelector in the specified namespaces, where co-located is defined as running on a node
  6665. whose value of the label with key topologyKey matches that of any node on which any of the
  6666. selected pods is running.
  6667. Empty topologyKey is not allowed.
  6668. type: string
  6669. weight:
  6670. description: |-
  6671. weight associated with matching the corresponding podAffinityTerm,
  6672. in the range 1-100.
  6673. type: integer
  6674. format: int32
  6675. x-kubernetes-list-type: atomic
  6676. requiredDuringSchedulingIgnoredDuringExecution:
  6677. description: |-
  6678. If the affinity requirements specified by this field are not met at
  6679. scheduling time, the pod will not be scheduled onto the node.
  6680. If the affinity requirements specified by this field cease to be met
  6681. at some point during pod execution (e.g. due to a pod label update), the
  6682. system may or may not try to eventually evict the pod from its node.
  6683. When there are multiple elements, the lists of nodes corresponding to each
  6684. podAffinityTerm are intersected, i.e. all terms must be satisfied.
  6685. type: array
  6686. items:
  6687. description: |-
  6688. Defines a set of pods (namely those matching the labelSelector
  6689. relative to the given namespace(s)) that this pod should be
  6690. co-located (affinity) or not co-located (anti-affinity) with,
  6691. where co-located is defined as running on a node whose value of
  6692. the label with key <topologyKey> matches that of any node on which
  6693. a pod of the set of pods is running
  6694. type: object
  6695. required:
  6696. - topologyKey
  6697. properties:
  6698. labelSelector:
  6699. description: |-
  6700. A label query over a set of resources, in this case pods.
  6701. If it's null, this PodAffinityTerm matches with no Pods.
  6702. type: object
  6703. properties:
  6704. matchExpressions:
  6705. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  6706. type: array
  6707. items:
  6708. description: |-
  6709. A label selector requirement is a selector that contains values, a key, and an operator that
  6710. relates the key and values.
  6711. type: object
  6712. required:
  6713. - key
  6714. - operator
  6715. properties:
  6716. key:
  6717. description: key is the label key that the selector applies to.
  6718. type: string
  6719. operator:
  6720. description: |-
  6721. operator represents a key's relationship to a set of values.
  6722. Valid operators are In, NotIn, Exists and DoesNotExist.
  6723. type: string
  6724. values:
  6725. description: |-
  6726. values is an array of string values. If the operator is In or NotIn,
  6727. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  6728. the values array must be empty. This array is replaced during a strategic
  6729. merge patch.
  6730. type: array
  6731. items:
  6732. type: string
  6733. x-kubernetes-list-type: atomic
  6734. x-kubernetes-list-type: atomic
  6735. matchLabels:
  6736. description: |-
  6737. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  6738. map is equivalent to an element of matchExpressions, whose key field is "key", the
  6739. operator is "In", and the values array contains only "value". The requirements are ANDed.
  6740. type: object
  6741. additionalProperties:
  6742. type: string
  6743. x-kubernetes-map-type: atomic
  6744. matchLabelKeys:
  6745. description: |-
  6746. MatchLabelKeys is a set of pod label keys to select which pods will
  6747. be taken into consideration. The keys are used to lookup values from the
  6748. incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
  6749. to select the group of existing pods which pods will be taken into consideration
  6750. for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
  6751. pod labels will be ignored. The default value is empty.
  6752. The same key is forbidden to exist in both matchLabelKeys and labelSelector.
  6753. Also, matchLabelKeys cannot be set when labelSelector isn't set.
  6754. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
  6755. type: array
  6756. items:
  6757. type: string
  6758. x-kubernetes-list-type: atomic
  6759. mismatchLabelKeys:
  6760. description: |-
  6761. MismatchLabelKeys is a set of pod label keys to select which pods will
  6762. be taken into consideration. The keys are used to lookup values from the
  6763. incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
  6764. to select the group of existing pods which pods will be taken into consideration
  6765. for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
  6766. pod labels will be ignored. The default value is empty.
  6767. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
  6768. Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
  6769. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
  6770. type: array
  6771. items:
  6772. type: string
  6773. x-kubernetes-list-type: atomic
  6774. namespaceSelector:
  6775. description: |-
  6776. A label query over the set of namespaces that the term applies to.
  6777. The term is applied to the union of the namespaces selected by this field
  6778. and the ones listed in the namespaces field.
  6779. null selector and null or empty namespaces list means "this pod's namespace".
  6780. An empty selector ({}) matches all namespaces.
  6781. type: object
  6782. properties:
  6783. matchExpressions:
  6784. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  6785. type: array
  6786. items:
  6787. description: |-
  6788. A label selector requirement is a selector that contains values, a key, and an operator that
  6789. relates the key and values.
  6790. type: object
  6791. required:
  6792. - key
  6793. - operator
  6794. properties:
  6795. key:
  6796. description: key is the label key that the selector applies to.
  6797. type: string
  6798. operator:
  6799. description: |-
  6800. operator represents a key's relationship to a set of values.
  6801. Valid operators are In, NotIn, Exists and DoesNotExist.
  6802. type: string
  6803. values:
  6804. description: |-
  6805. values is an array of string values. If the operator is In or NotIn,
  6806. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  6807. the values array must be empty. This array is replaced during a strategic
  6808. merge patch.
  6809. type: array
  6810. items:
  6811. type: string
  6812. x-kubernetes-list-type: atomic
  6813. x-kubernetes-list-type: atomic
  6814. matchLabels:
  6815. description: |-
  6816. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  6817. map is equivalent to an element of matchExpressions, whose key field is "key", the
  6818. operator is "In", and the values array contains only "value". The requirements are ANDed.
  6819. type: object
  6820. additionalProperties:
  6821. type: string
  6822. x-kubernetes-map-type: atomic
  6823. namespaces:
  6824. description: |-
  6825. namespaces specifies a static list of namespace names that the term applies to.
  6826. The term is applied to the union of the namespaces listed in this field
  6827. and the ones selected by namespaceSelector.
  6828. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
  6829. type: array
  6830. items:
  6831. type: string
  6832. x-kubernetes-list-type: atomic
  6833. topologyKey:
  6834. description: |-
  6835. This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
  6836. the labelSelector in the specified namespaces, where co-located is defined as running on a node
  6837. whose value of the label with key topologyKey matches that of any node on which any of the
  6838. selected pods is running.
  6839. Empty topologyKey is not allowed.
  6840. type: string
  6841. x-kubernetes-list-type: atomic
  6842. podAntiAffinity:
  6843. description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
  6844. type: object
  6845. properties:
  6846. preferredDuringSchedulingIgnoredDuringExecution:
  6847. description: |-
  6848. The scheduler will prefer to schedule pods to nodes that satisfy
  6849. the anti-affinity expressions specified by this field, but it may choose
  6850. a node that violates one or more of the expressions. The node that is
  6851. most preferred is the one with the greatest sum of weights, i.e.
  6852. for each node that meets all of the scheduling requirements (resource
  6853. request, requiredDuringScheduling anti-affinity expressions, etc.),
  6854. compute a sum by iterating through the elements of this field and adding
  6855. "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
  6856. node(s) with the highest sum are the most preferred.
  6857. type: array
  6858. items:
  6859. description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
  6860. type: object
  6861. required:
  6862. - podAffinityTerm
  6863. - weight
  6864. properties:
  6865. podAffinityTerm:
  6866. description: Required. A pod affinity term, associated with the corresponding weight.
  6867. type: object
  6868. required:
  6869. - topologyKey
  6870. properties:
  6871. labelSelector:
  6872. description: |-
  6873. A label query over a set of resources, in this case pods.
  6874. If it's null, this PodAffinityTerm matches with no Pods.
  6875. type: object
  6876. properties:
  6877. matchExpressions:
  6878. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  6879. type: array
  6880. items:
  6881. description: |-
  6882. A label selector requirement is a selector that contains values, a key, and an operator that
  6883. relates the key and values.
  6884. type: object
  6885. required:
  6886. - key
  6887. - operator
  6888. properties:
  6889. key:
  6890. description: key is the label key that the selector applies to.
  6891. type: string
  6892. operator:
  6893. description: |-
  6894. operator represents a key's relationship to a set of values.
  6895. Valid operators are In, NotIn, Exists and DoesNotExist.
  6896. type: string
  6897. values:
  6898. description: |-
  6899. values is an array of string values. If the operator is In or NotIn,
  6900. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  6901. the values array must be empty. This array is replaced during a strategic
  6902. merge patch.
  6903. type: array
  6904. items:
  6905. type: string
  6906. x-kubernetes-list-type: atomic
  6907. x-kubernetes-list-type: atomic
  6908. matchLabels:
  6909. description: |-
  6910. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  6911. map is equivalent to an element of matchExpressions, whose key field is "key", the
  6912. operator is "In", and the values array contains only "value". The requirements are ANDed.
  6913. type: object
  6914. additionalProperties:
  6915. type: string
  6916. x-kubernetes-map-type: atomic
  6917. matchLabelKeys:
  6918. description: |-
  6919. MatchLabelKeys is a set of pod label keys to select which pods will
  6920. be taken into consideration. The keys are used to lookup values from the
  6921. incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
  6922. to select the group of existing pods which pods will be taken into consideration
  6923. for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
  6924. pod labels will be ignored. The default value is empty.
  6925. The same key is forbidden to exist in both matchLabelKeys and labelSelector.
  6926. Also, matchLabelKeys cannot be set when labelSelector isn't set.
  6927. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
  6928. type: array
  6929. items:
  6930. type: string
  6931. x-kubernetes-list-type: atomic
  6932. mismatchLabelKeys:
  6933. description: |-
  6934. MismatchLabelKeys is a set of pod label keys to select which pods will
  6935. be taken into consideration. The keys are used to lookup values from the
  6936. incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
  6937. to select the group of existing pods which pods will be taken into consideration
  6938. for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
  6939. pod labels will be ignored. The default value is empty.
  6940. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
  6941. Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
  6942. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
  6943. type: array
  6944. items:
  6945. type: string
  6946. x-kubernetes-list-type: atomic
  6947. namespaceSelector:
  6948. description: |-
  6949. A label query over the set of namespaces that the term applies to.
  6950. The term is applied to the union of the namespaces selected by this field
  6951. and the ones listed in the namespaces field.
  6952. null selector and null or empty namespaces list means "this pod's namespace".
  6953. An empty selector ({}) matches all namespaces.
  6954. type: object
  6955. properties:
  6956. matchExpressions:
  6957. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  6958. type: array
  6959. items:
  6960. description: |-
  6961. A label selector requirement is a selector that contains values, a key, and an operator that
  6962. relates the key and values.
  6963. type: object
  6964. required:
  6965. - key
  6966. - operator
  6967. properties:
  6968. key:
  6969. description: key is the label key that the selector applies to.
  6970. type: string
  6971. operator:
  6972. description: |-
  6973. operator represents a key's relationship to a set of values.
  6974. Valid operators are In, NotIn, Exists and DoesNotExist.
  6975. type: string
  6976. values:
  6977. description: |-
  6978. values is an array of string values. If the operator is In or NotIn,
  6979. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  6980. the values array must be empty. This array is replaced during a strategic
  6981. merge patch.
  6982. type: array
  6983. items:
  6984. type: string
  6985. x-kubernetes-list-type: atomic
  6986. x-kubernetes-list-type: atomic
  6987. matchLabels:
  6988. description: |-
  6989. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  6990. map is equivalent to an element of matchExpressions, whose key field is "key", the
  6991. operator is "In", and the values array contains only "value". The requirements are ANDed.
  6992. type: object
  6993. additionalProperties:
  6994. type: string
  6995. x-kubernetes-map-type: atomic
  6996. namespaces:
  6997. description: |-
  6998. namespaces specifies a static list of namespace names that the term applies to.
  6999. The term is applied to the union of the namespaces listed in this field
  7000. and the ones selected by namespaceSelector.
  7001. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
  7002. type: array
  7003. items:
  7004. type: string
  7005. x-kubernetes-list-type: atomic
  7006. topologyKey:
  7007. description: |-
  7008. This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
  7009. the labelSelector in the specified namespaces, where co-located is defined as running on a node
  7010. whose value of the label with key topologyKey matches that of any node on which any of the
  7011. selected pods is running.
  7012. Empty topologyKey is not allowed.
  7013. type: string
  7014. weight:
  7015. description: |-
  7016. weight associated with matching the corresponding podAffinityTerm,
  7017. in the range 1-100.
  7018. type: integer
  7019. format: int32
  7020. x-kubernetes-list-type: atomic
  7021. requiredDuringSchedulingIgnoredDuringExecution:
  7022. description: |-
  7023. If the anti-affinity requirements specified by this field are not met at
  7024. scheduling time, the pod will not be scheduled onto the node.
  7025. If the anti-affinity requirements specified by this field cease to be met
  7026. at some point during pod execution (e.g. due to a pod label update), the
  7027. system may or may not try to eventually evict the pod from its node.
  7028. When there are multiple elements, the lists of nodes corresponding to each
  7029. podAffinityTerm are intersected, i.e. all terms must be satisfied.
  7030. type: array
  7031. items:
  7032. description: |-
  7033. Defines a set of pods (namely those matching the labelSelector
  7034. relative to the given namespace(s)) that this pod should be
  7035. co-located (affinity) or not co-located (anti-affinity) with,
  7036. where co-located is defined as running on a node whose value of
  7037. the label with key <topologyKey> matches that of any node on which
  7038. a pod of the set of pods is running
  7039. type: object
  7040. required:
  7041. - topologyKey
  7042. properties:
  7043. labelSelector:
  7044. description: |-
  7045. A label query over a set of resources, in this case pods.
  7046. If it's null, this PodAffinityTerm matches with no Pods.
  7047. type: object
  7048. properties:
  7049. matchExpressions:
  7050. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  7051. type: array
  7052. items:
  7053. description: |-
  7054. A label selector requirement is a selector that contains values, a key, and an operator that
  7055. relates the key and values.
  7056. type: object
  7057. required:
  7058. - key
  7059. - operator
  7060. properties:
  7061. key:
  7062. description: key is the label key that the selector applies to.
  7063. type: string
  7064. operator:
  7065. description: |-
  7066. operator represents a key's relationship to a set of values.
  7067. Valid operators are In, NotIn, Exists and DoesNotExist.
  7068. type: string
  7069. values:
  7070. description: |-
  7071. values is an array of string values. If the operator is In or NotIn,
  7072. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  7073. the values array must be empty. This array is replaced during a strategic
  7074. merge patch.
  7075. type: array
  7076. items:
  7077. type: string
  7078. x-kubernetes-list-type: atomic
  7079. x-kubernetes-list-type: atomic
  7080. matchLabels:
  7081. description: |-
  7082. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  7083. map is equivalent to an element of matchExpressions, whose key field is "key", the
  7084. operator is "In", and the values array contains only "value". The requirements are ANDed.
  7085. type: object
  7086. additionalProperties:
  7087. type: string
  7088. x-kubernetes-map-type: atomic
  7089. matchLabelKeys:
  7090. description: |-
  7091. MatchLabelKeys is a set of pod label keys to select which pods will
  7092. be taken into consideration. The keys are used to lookup values from the
  7093. incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
  7094. to select the group of existing pods which pods will be taken into consideration
  7095. for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
  7096. pod labels will be ignored. The default value is empty.
  7097. The same key is forbidden to exist in both matchLabelKeys and labelSelector.
  7098. Also, matchLabelKeys cannot be set when labelSelector isn't set.
  7099. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
  7100. type: array
  7101. items:
  7102. type: string
  7103. x-kubernetes-list-type: atomic
  7104. mismatchLabelKeys:
  7105. description: |-
  7106. MismatchLabelKeys is a set of pod label keys to select which pods will
  7107. be taken into consideration. The keys are used to lookup values from the
  7108. incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
  7109. to select the group of existing pods which pods will be taken into consideration
  7110. for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
  7111. pod labels will be ignored. The default value is empty.
  7112. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
  7113. Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
  7114. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
  7115. type: array
  7116. items:
  7117. type: string
  7118. x-kubernetes-list-type: atomic
  7119. namespaceSelector:
  7120. description: |-
  7121. A label query over the set of namespaces that the term applies to.
  7122. The term is applied to the union of the namespaces selected by this field
  7123. and the ones listed in the namespaces field.
  7124. null selector and null or empty namespaces list means "this pod's namespace".
  7125. An empty selector ({}) matches all namespaces.
  7126. type: object
  7127. properties:
  7128. matchExpressions:
  7129. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  7130. type: array
  7131. items:
  7132. description: |-
  7133. A label selector requirement is a selector that contains values, a key, and an operator that
  7134. relates the key and values.
  7135. type: object
  7136. required:
  7137. - key
  7138. - operator
  7139. properties:
  7140. key:
  7141. description: key is the label key that the selector applies to.
  7142. type: string
  7143. operator:
  7144. description: |-
  7145. operator represents a key's relationship to a set of values.
  7146. Valid operators are In, NotIn, Exists and DoesNotExist.
  7147. type: string
  7148. values:
  7149. description: |-
  7150. values is an array of string values. If the operator is In or NotIn,
  7151. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  7152. the values array must be empty. This array is replaced during a strategic
  7153. merge patch.
  7154. type: array
  7155. items:
  7156. type: string
  7157. x-kubernetes-list-type: atomic
  7158. x-kubernetes-list-type: atomic
  7159. matchLabels:
  7160. description: |-
  7161. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  7162. map is equivalent to an element of matchExpressions, whose key field is "key", the
  7163. operator is "In", and the values array contains only "value". The requirements are ANDed.
  7164. type: object
  7165. additionalProperties:
  7166. type: string
  7167. x-kubernetes-map-type: atomic
  7168. namespaces:
  7169. description: |-
  7170. namespaces specifies a static list of namespace names that the term applies to.
  7171. The term is applied to the union of the namespaces listed in this field
  7172. and the ones selected by namespaceSelector.
  7173. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
  7174. type: array
  7175. items:
  7176. type: string
  7177. x-kubernetes-list-type: atomic
  7178. topologyKey:
  7179. description: |-
  7180. This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
  7181. the labelSelector in the specified namespaces, where co-located is defined as running on a node
  7182. whose value of the label with key topologyKey matches that of any node on which any of the
  7183. selected pods is running.
  7184. Empty topologyKey is not allowed.
  7185. type: string
  7186. x-kubernetes-list-type: atomic
  7187. imagePullSecrets:
  7188. description: If specified, the pod's imagePullSecrets
  7189. type: array
  7190. items:
  7191. description: |-
  7192. LocalObjectReference contains enough information to let you locate the
  7193. referenced object inside the same namespace.
  7194. type: object
  7195. properties:
  7196. name:
  7197. description: |-
  7198. Name of the referent.
  7199. This field is effectively required, but due to backwards compatibility is
  7200. allowed to be empty. Instances of this type with an empty value here are
  7201. almost certainly wrong.
  7202. TODO: Add other useful fields. apiVersion, kind, uid?
  7203. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  7204. TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
  7205. type: string
  7206. default: ""
  7207. x-kubernetes-map-type: atomic
  7208. nodeSelector:
  7209. description: |-
  7210. NodeSelector is a selector which must be true for the pod to fit on a node.
  7211. Selector which must match a node's labels for the pod to be scheduled on that node.
  7212. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
  7213. type: object
  7214. additionalProperties:
  7215. type: string
  7216. priorityClassName:
  7217. description: If specified, the pod's priorityClassName.
  7218. type: string
  7219. serviceAccountName:
  7220. description: If specified, the pod's service account
  7221. type: string
  7222. tolerations:
  7223. description: If specified, the pod's tolerations.
  7224. type: array
  7225. items:
  7226. description: |-
  7227. The pod this Toleration is attached to tolerates any taint that matches
  7228. the triple <key,value,effect> using the matching operator <operator>.
  7229. type: object
  7230. properties:
  7231. effect:
  7232. description: |-
  7233. Effect indicates the taint effect to match. Empty means match all taint effects.
  7234. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
  7235. type: string
  7236. key:
  7237. description: |-
  7238. Key is the taint key that the toleration applies to. Empty means match all taint keys.
  7239. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
  7240. type: string
  7241. operator:
  7242. description: |-
  7243. Operator represents a key's relationship to the value.
  7244. Valid operators are Exists and Equal. Defaults to Equal.
  7245. Exists is equivalent to wildcard for value, so that a pod can
  7246. tolerate all taints of a particular category.
  7247. type: string
  7248. tolerationSeconds:
  7249. description: |-
  7250. TolerationSeconds represents the period of time the toleration (which must be
  7251. of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
  7252. it is not set, which means tolerate the taint forever (do not evict). Zero and
  7253. negative values will be treated as 0 (evict immediately) by the system.
  7254. type: integer
  7255. format: int64
  7256. value:
  7257. description: |-
  7258. Value is the taint value the toleration matches to.
  7259. If the operator is Exists, the value should be empty, otherwise just a regular string.
  7260. type: string
  7261. serviceType:
  7262. description: |-
  7263. Optional service type for Kubernetes solver service. Supported values
  7264. are NodePort or ClusterIP. If unset, defaults to NodePort.
  7265. type: string
  7266. selector:
  7267. description: |-
  7268. Selector selects a set of DNSNames on the Certificate resource that
  7269. should be solved using this challenge solver.
  7270. If not specified, the solver will be treated as the 'default' solver
  7271. with the lowest priority, i.e. if any other solver has a more specific
  7272. match, it will be used instead.
  7273. type: object
  7274. properties:
  7275. dnsNames:
  7276. description: |-
  7277. List of DNSNames that this solver will be used to solve.
  7278. If specified and a match is found, a dnsNames selector will take
  7279. precedence over a dnsZones selector.
  7280. If multiple solvers match with the same dnsNames value, the solver
  7281. with the most matching labels in matchLabels will be selected.
  7282. If neither has more matches, the solver defined earlier in the list
  7283. will be selected.
  7284. type: array
  7285. items:
  7286. type: string
  7287. dnsZones:
  7288. description: |-
  7289. List of DNSZones that this solver will be used to solve.
  7290. The most specific DNS zone match specified here will take precedence
  7291. over other DNS zone matches, so a solver specifying sys.example.com
  7292. will be selected over one specifying example.com for the domain
  7293. www.sys.example.com.
  7294. If multiple solvers match with the same dnsZones value, the solver
  7295. with the most matching labels in matchLabels will be selected.
  7296. If neither has more matches, the solver defined earlier in the list
  7297. will be selected.
  7298. type: array
  7299. items:
  7300. type: string
  7301. matchLabels:
  7302. description: |-
  7303. A label selector that is used to refine the set of certificate's that
  7304. this challenge solver will apply to.
  7305. type: object
  7306. additionalProperties:
  7307. type: string
  7308. ca:
  7309. description: |-
  7310. CA configures this issuer to sign certificates using a signing CA keypair
  7311. stored in a Secret resource.
  7312. This is used to build internal PKIs that are managed by cert-manager.
  7313. type: object
  7314. required:
  7315. - secretName
  7316. properties:
  7317. crlDistributionPoints:
  7318. description: |-
  7319. The CRL distribution points is an X.509 v3 certificate extension which identifies
  7320. the location of the CRL from which the revocation of this certificate can be checked.
  7321. If not set, certificates will be issued without distribution points set.
  7322. type: array
  7323. items:
  7324. type: string
  7325. issuingCertificateURLs:
  7326. description: |-
  7327. IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates
  7328. it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details.
  7329. As an example, such a URL might be "http://ca.domain.com/ca.crt".
  7330. type: array
  7331. items:
  7332. type: string
  7333. ocspServers:
  7334. description: |-
  7335. The OCSP server list is an X.509 v3 extension that defines a list of
  7336. URLs of OCSP responders. The OCSP responders can be queried for the
  7337. revocation status of an issued certificate. If not set, the
  7338. certificate will be issued with no OCSP servers set. For example, an
  7339. OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
  7340. type: array
  7341. items:
  7342. type: string
  7343. secretName:
  7344. description: |-
  7345. SecretName is the name of the secret used to sign Certificates issued
  7346. by this Issuer.
  7347. type: string
  7348. selfSigned:
  7349. description: |-
  7350. SelfSigned configures this issuer to 'self sign' certificates using the
  7351. private key used to create the CertificateRequest object.
  7352. type: object
  7353. properties:
  7354. crlDistributionPoints:
  7355. description: |-
  7356. The CRL distribution points is an X.509 v3 certificate extension which identifies
  7357. the location of the CRL from which the revocation of this certificate can be checked.
  7358. If not set certificate will be issued without CDP. Values are strings.
  7359. type: array
  7360. items:
  7361. type: string
  7362. vault:
  7363. description: |-
  7364. Vault configures this issuer to sign certificates using a HashiCorp Vault
  7365. PKI backend.
  7366. type: object
  7367. required:
  7368. - auth
  7369. - path
  7370. - server
  7371. properties:
  7372. auth:
  7373. description: Auth configures how cert-manager authenticates with the Vault server.
  7374. type: object
  7375. properties:
  7376. appRole:
  7377. description: |-
  7378. AppRole authenticates with Vault using the App Role auth mechanism,
  7379. with the role and secret stored in a Kubernetes Secret resource.
  7380. type: object
  7381. required:
  7382. - path
  7383. - roleId
  7384. - secretRef
  7385. properties:
  7386. path:
  7387. description: |-
  7388. Path where the App Role authentication backend is mounted in Vault, e.g:
  7389. "approle"
  7390. type: string
  7391. roleId:
  7392. description: |-
  7393. RoleID configured in the App Role authentication backend when setting
  7394. up the authentication backend in Vault.
  7395. type: string
  7396. secretRef:
  7397. description: |-
  7398. Reference to a key in a Secret that contains the App Role secret used
  7399. to authenticate with Vault.
  7400. The `key` field must be specified and denotes which entry within the Secret
  7401. resource is used as the app role secret.
  7402. type: object
  7403. required:
  7404. - name
  7405. properties:
  7406. key:
  7407. description: |-
  7408. The key of the entry in the Secret resource's `data` field to be used.
  7409. Some instances of this field may be defaulted, in others it may be
  7410. required.
  7411. type: string
  7412. name:
  7413. description: |-
  7414. Name of the resource being referred to.
  7415. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  7416. type: string
  7417. kubernetes:
  7418. description: |-
  7419. Kubernetes authenticates with Vault by passing the ServiceAccount
  7420. token stored in the named Secret resource to the Vault server.
  7421. type: object
  7422. required:
  7423. - role
  7424. properties:
  7425. mountPath:
  7426. description: |-
  7427. The Vault mountPath here is the mount path to use when authenticating with
  7428. Vault. For example, setting a value to `/v1/auth/foo`, will use the path
  7429. `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
  7430. default value "/v1/auth/kubernetes" will be used.
  7431. type: string
  7432. role:
  7433. description: |-
  7434. A required field containing the Vault Role to assume. A Role binds a
  7435. Kubernetes ServiceAccount with a set of Vault policies.
  7436. type: string
  7437. secretRef:
  7438. description: |-
  7439. The required Secret field containing a Kubernetes ServiceAccount JWT used
  7440. for authenticating with Vault. Use of 'ambient credentials' is not
  7441. supported.
  7442. type: object
  7443. required:
  7444. - name
  7445. properties:
  7446. key:
  7447. description: |-
  7448. The key of the entry in the Secret resource's `data` field to be used.
  7449. Some instances of this field may be defaulted, in others it may be
  7450. required.
  7451. type: string
  7452. name:
  7453. description: |-
  7454. Name of the resource being referred to.
  7455. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  7456. type: string
  7457. serviceAccountRef:
  7458. description: |-
  7459. A reference to a service account that will be used to request a bound
  7460. token (also known as "projected token"). Compared to using "secretRef",
  7461. using this field means that you don't rely on statically bound tokens. To
  7462. use this field, you must configure an RBAC rule to let cert-manager
  7463. request a token.
  7464. type: object
  7465. required:
  7466. - name
  7467. properties:
  7468. audiences:
  7469. description: |-
  7470. TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token
  7471. consisting of the issuer's namespace and name is always included.
  7472. type: array
  7473. items:
  7474. type: string
  7475. name:
  7476. description: Name of the ServiceAccount used to request a token.
  7477. type: string
  7478. tokenSecretRef:
  7479. description: TokenSecretRef authenticates with Vault by presenting a token.
  7480. type: object
  7481. required:
  7482. - name
  7483. properties:
  7484. key:
  7485. description: |-
  7486. The key of the entry in the Secret resource's `data` field to be used.
  7487. Some instances of this field may be defaulted, in others it may be
  7488. required.
  7489. type: string
  7490. name:
  7491. description: |-
  7492. Name of the resource being referred to.
  7493. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  7494. type: string
  7495. caBundle:
  7496. description: |-
  7497. Base64-encoded bundle of PEM CAs which will be used to validate the certificate
  7498. chain presented by Vault. Only used if using HTTPS to connect to Vault and
  7499. ignored for HTTP connections.
  7500. Mutually exclusive with CABundleSecretRef.
  7501. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
  7502. the cert-manager controller container is used to validate the TLS connection.
  7503. type: string
  7504. format: byte
  7505. caBundleSecretRef:
  7506. description: |-
  7507. Reference to a Secret containing a bundle of PEM-encoded CAs to use when
  7508. verifying the certificate chain presented by Vault when using HTTPS.
  7509. Mutually exclusive with CABundle.
  7510. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
  7511. the cert-manager controller container is used to validate the TLS connection.
  7512. If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
  7513. type: object
  7514. required:
  7515. - name
  7516. properties:
  7517. key:
  7518. description: |-
  7519. The key of the entry in the Secret resource's `data` field to be used.
  7520. Some instances of this field may be defaulted, in others it may be
  7521. required.
  7522. type: string
  7523. name:
  7524. description: |-
  7525. Name of the resource being referred to.
  7526. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  7527. type: string
  7528. clientCertSecretRef:
  7529. description: |-
  7530. Reference to a Secret containing a PEM-encoded Client Certificate to use when the
  7531. Vault server requires mTLS.
  7532. type: object
  7533. required:
  7534. - name
  7535. properties:
  7536. key:
  7537. description: |-
  7538. The key of the entry in the Secret resource's `data` field to be used.
  7539. Some instances of this field may be defaulted, in others it may be
  7540. required.
  7541. type: string
  7542. name:
  7543. description: |-
  7544. Name of the resource being referred to.
  7545. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  7546. type: string
  7547. clientKeySecretRef:
  7548. description: |-
  7549. Reference to a Secret containing a PEM-encoded Client Private Key to use when the
  7550. Vault server requires mTLS.
  7551. type: object
  7552. required:
  7553. - name
  7554. properties:
  7555. key:
  7556. description: |-
  7557. The key of the entry in the Secret resource's `data` field to be used.
  7558. Some instances of this field may be defaulted, in others it may be
  7559. required.
  7560. type: string
  7561. name:
  7562. description: |-
  7563. Name of the resource being referred to.
  7564. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  7565. type: string
  7566. namespace:
  7567. description: |-
  7568. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1"
  7569. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  7570. type: string
  7571. path:
  7572. description: |-
  7573. Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:
  7574. "my_pki_mount/sign/my-role-name".
  7575. type: string
  7576. server:
  7577. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  7578. type: string
  7579. venafi:
  7580. description: |-
  7581. Venafi configures this issuer to sign certificates using a Venafi TPP
  7582. or Venafi Cloud policy zone.
  7583. type: object
  7584. required:
  7585. - zone
  7586. properties:
  7587. cloud:
  7588. description: |-
  7589. Cloud specifies the Venafi cloud configuration settings.
  7590. Only one of TPP or Cloud may be specified.
  7591. type: object
  7592. required:
  7593. - apiTokenSecretRef
  7594. properties:
  7595. apiTokenSecretRef:
  7596. description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
  7597. type: object
  7598. required:
  7599. - name
  7600. properties:
  7601. key:
  7602. description: |-
  7603. The key of the entry in the Secret resource's `data` field to be used.
  7604. Some instances of this field may be defaulted, in others it may be
  7605. required.
  7606. type: string
  7607. name:
  7608. description: |-
  7609. Name of the resource being referred to.
  7610. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  7611. type: string
  7612. url:
  7613. description: |-
  7614. URL is the base URL for Venafi Cloud.
  7615. Defaults to "https://api.venafi.cloud/v1".
  7616. type: string
  7617. tpp:
  7618. description: |-
  7619. TPP specifies Trust Protection Platform configuration settings.
  7620. Only one of TPP or Cloud may be specified.
  7621. type: object
  7622. required:
  7623. - credentialsRef
  7624. - url
  7625. properties:
  7626. caBundle:
  7627. description: |-
  7628. Base64-encoded bundle of PEM CAs which will be used to validate the certificate
  7629. chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP.
  7630. If undefined, the certificate bundle in the cert-manager controller container
  7631. is used to validate the chain.
  7632. type: string
  7633. format: byte
  7634. credentialsRef:
  7635. description: |-
  7636. CredentialsRef is a reference to a Secret containing the username and
  7637. password for the TPP server.
  7638. The secret must contain two keys, 'username' and 'password'.
  7639. type: object
  7640. required:
  7641. - name
  7642. properties:
  7643. name:
  7644. description: |-
  7645. Name of the resource being referred to.
  7646. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  7647. type: string
  7648. url:
  7649. description: |-
  7650. URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,
  7651. for example: "https://tpp.example.com/vedsdk".
  7652. type: string
  7653. zone:
  7654. description: |-
  7655. Zone is the Venafi Policy Zone to use for this issuer.
  7656. All requests made to the Venafi platform will be restricted by the named
  7657. zone policy.
  7658. This field is required.
  7659. type: string
  7660. status:
  7661. description: Status of the Issuer. This is set and managed automatically.
  7662. type: object
  7663. properties:
  7664. acme:
  7665. description: |-
  7666. ACME specific status options.
  7667. This field should only be set if the Issuer is configured to use an ACME
  7668. server to issue certificates.
  7669. type: object
  7670. properties:
  7671. lastPrivateKeyHash:
  7672. description: |-
  7673. LastPrivateKeyHash is a hash of the private key associated with the latest
  7674. registered ACME account, in order to track changes made to registered account
  7675. associated with the Issuer
  7676. type: string
  7677. lastRegisteredEmail:
  7678. description: |-
  7679. LastRegisteredEmail is the email associated with the latest registered
  7680. ACME account, in order to track changes made to registered account
  7681. associated with the Issuer
  7682. type: string
  7683. uri:
  7684. description: |-
  7685. URI is the unique account identifier, which can also be used to retrieve
  7686. account details from the CA
  7687. type: string
  7688. conditions:
  7689. description: |-
  7690. List of status conditions to indicate the status of a CertificateRequest.
  7691. Known condition types are `Ready`.
  7692. type: array
  7693. items:
  7694. description: IssuerCondition contains condition information for an Issuer.
  7695. type: object
  7696. required:
  7697. - status
  7698. - type
  7699. properties:
  7700. lastTransitionTime:
  7701. description: |-
  7702. LastTransitionTime is the timestamp corresponding to the last status
  7703. change of this condition.
  7704. type: string
  7705. format: date-time
  7706. message:
  7707. description: |-
  7708. Message is a human readable description of the details of the last
  7709. transition, complementing reason.
  7710. type: string
  7711. observedGeneration:
  7712. description: |-
  7713. If set, this represents the .metadata.generation that the condition was
  7714. set based upon.
  7715. For instance, if .metadata.generation is currently 12, but the
  7716. .status.condition[x].observedGeneration is 9, the condition is out of date
  7717. with respect to the current state of the Issuer.
  7718. type: integer
  7719. format: int64
  7720. reason:
  7721. description: |-
  7722. Reason is a brief machine readable explanation for the condition's last
  7723. transition.
  7724. type: string
  7725. status:
  7726. description: Status of the condition, one of (`True`, `False`, `Unknown`).
  7727. type: string
  7728. enum:
  7729. - "True"
  7730. - "False"
  7731. - Unknown
  7732. type:
  7733. description: Type of the condition, known values are (`Ready`).
  7734. type: string
  7735. x-kubernetes-list-map-keys:
  7736. - type
  7737. x-kubernetes-list-type: map
  7738. served: true
  7739. storage: true
  7740. # END crd
  7741. ---
  7742. # Source: cert-manager/templates/crds.yaml
  7743. # START crd
  7744. apiVersion: apiextensions.k8s.io/v1
  7745. kind: CustomResourceDefinition
  7746. metadata:
  7747. name: orders.acme.cert-manager.io
  7748. # START annotations
  7749. annotations:
  7750. helm.sh/resource-policy: keep
  7751. # END annotations
  7752. labels:
  7753. app: 'cert-manager'
  7754. app.kubernetes.io/name: 'cert-manager'
  7755. app.kubernetes.io/instance: 'cert-manager'
  7756. app.kubernetes.io/component: "crds"
  7757. # Generated labels
  7758. app.kubernetes.io/version: "v1.15.2"
  7759. spec:
  7760. group: acme.cert-manager.io
  7761. names:
  7762. kind: Order
  7763. listKind: OrderList
  7764. plural: orders
  7765. singular: order
  7766. categories:
  7767. - cert-manager
  7768. - cert-manager-acme
  7769. scope: Namespaced
  7770. versions:
  7771. - name: v1
  7772. subresources:
  7773. status: {}
  7774. additionalPrinterColumns:
  7775. - jsonPath: .status.state
  7776. name: State
  7777. type: string
  7778. - jsonPath: .spec.issuerRef.name
  7779. name: Issuer
  7780. priority: 1
  7781. type: string
  7782. - jsonPath: .status.reason
  7783. name: Reason
  7784. priority: 1
  7785. type: string
  7786. - jsonPath: .metadata.creationTimestamp
  7787. description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
  7788. name: Age
  7789. type: date
  7790. schema:
  7791. openAPIV3Schema:
  7792. description: Order is a type to represent an Order with an ACME server
  7793. type: object
  7794. required:
  7795. - metadata
  7796. - spec
  7797. properties:
  7798. apiVersion:
  7799. description: |-
  7800. APIVersion defines the versioned schema of this representation of an object.
  7801. Servers should convert recognized schemas to the latest internal value, and
  7802. may reject unrecognized values.
  7803. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  7804. type: string
  7805. kind:
  7806. description: |-
  7807. Kind is a string value representing the REST resource this object represents.
  7808. Servers may infer this from the endpoint the client submits requests to.
  7809. Cannot be updated.
  7810. In CamelCase.
  7811. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  7812. type: string
  7813. metadata:
  7814. type: object
  7815. spec:
  7816. type: object
  7817. required:
  7818. - issuerRef
  7819. - request
  7820. properties:
  7821. commonName:
  7822. description: |-
  7823. CommonName is the common name as specified on the DER encoded CSR.
  7824. If specified, this value must also be present in `dnsNames` or `ipAddresses`.
  7825. This field must match the corresponding field on the DER encoded CSR.
  7826. type: string
  7827. dnsNames:
  7828. description: |-
  7829. DNSNames is a list of DNS names that should be included as part of the Order
  7830. validation process.
  7831. This field must match the corresponding field on the DER encoded CSR.
  7832. type: array
  7833. items:
  7834. type: string
  7835. duration:
  7836. description: |-
  7837. Duration is the duration for the not after date for the requested certificate.
  7838. this is set on order creation as pe the ACME spec.
  7839. type: string
  7840. ipAddresses:
  7841. description: |-
  7842. IPAddresses is a list of IP addresses that should be included as part of the Order
  7843. validation process.
  7844. This field must match the corresponding field on the DER encoded CSR.
  7845. type: array
  7846. items:
  7847. type: string
  7848. issuerRef:
  7849. description: |-
  7850. IssuerRef references a properly configured ACME-type Issuer which should
  7851. be used to create this Order.
  7852. If the Issuer does not exist, processing will be retried.
  7853. If the Issuer is not an 'ACME' Issuer, an error will be returned and the
  7854. Order will be marked as failed.
  7855. type: object
  7856. required:
  7857. - name
  7858. properties:
  7859. group:
  7860. description: Group of the resource being referred to.
  7861. type: string
  7862. kind:
  7863. description: Kind of the resource being referred to.
  7864. type: string
  7865. name:
  7866. description: Name of the resource being referred to.
  7867. type: string
  7868. request:
  7869. description: |-
  7870. Certificate signing request bytes in DER encoding.
  7871. This will be used when finalizing the order.
  7872. This field must be set on the order.
  7873. type: string
  7874. format: byte
  7875. status:
  7876. type: object
  7877. properties:
  7878. authorizations:
  7879. description: |-
  7880. Authorizations contains data returned from the ACME server on what
  7881. authorizations must be completed in order to validate the DNS names
  7882. specified on the Order.
  7883. type: array
  7884. items:
  7885. description: |-
  7886. ACMEAuthorization contains data returned from the ACME server on an
  7887. authorization that must be completed in order validate a DNS name on an ACME
  7888. Order resource.
  7889. type: object
  7890. required:
  7891. - url
  7892. properties:
  7893. challenges:
  7894. description: |-
  7895. Challenges specifies the challenge types offered by the ACME server.
  7896. One of these challenge types will be selected when validating the DNS
  7897. name and an appropriate Challenge resource will be created to perform
  7898. the ACME challenge process.
  7899. type: array
  7900. items:
  7901. description: |-
  7902. Challenge specifies a challenge offered by the ACME server for an Order.
  7903. An appropriate Challenge resource can be created to perform the ACME
  7904. challenge process.
  7905. type: object
  7906. required:
  7907. - token
  7908. - type
  7909. - url
  7910. properties:
  7911. token:
  7912. description: |-
  7913. Token is the token that must be presented for this challenge.
  7914. This is used to compute the 'key' that must also be presented.
  7915. type: string
  7916. type:
  7917. description: |-
  7918. Type is the type of challenge being offered, e.g. 'http-01', 'dns-01',
  7919. 'tls-sni-01', etc.
  7920. This is the raw value retrieved from the ACME server.
  7921. Only 'http-01' and 'dns-01' are supported by cert-manager, other values
  7922. will be ignored.
  7923. type: string
  7924. url:
  7925. description: |-
  7926. URL is the URL of this challenge. It can be used to retrieve additional
  7927. metadata about the Challenge from the ACME server.
  7928. type: string
  7929. identifier:
  7930. description: Identifier is the DNS name to be validated as part of this authorization
  7931. type: string
  7932. initialState:
  7933. description: |-
  7934. InitialState is the initial state of the ACME authorization when first
  7935. fetched from the ACME server.
  7936. If an Authorization is already 'valid', the Order controller will not
  7937. create a Challenge resource for the authorization. This will occur when
  7938. working with an ACME server that enables 'authz reuse' (such as Let's
  7939. Encrypt's production endpoint).
  7940. If not set and 'identifier' is set, the state is assumed to be pending
  7941. and a Challenge will be created.
  7942. type: string
  7943. enum:
  7944. - valid
  7945. - ready
  7946. - pending
  7947. - processing
  7948. - invalid
  7949. - expired
  7950. - errored
  7951. url:
  7952. description: URL is the URL of the Authorization that must be completed
  7953. type: string
  7954. wildcard:
  7955. description: |-
  7956. Wildcard will be true if this authorization is for a wildcard DNS name.
  7957. If this is true, the identifier will be the *non-wildcard* version of
  7958. the DNS name.
  7959. For example, if '*.example.com' is the DNS name being validated, this
  7960. field will be 'true' and the 'identifier' field will be 'example.com'.
  7961. type: boolean
  7962. certificate:
  7963. description: |-
  7964. Certificate is a copy of the PEM encoded certificate for this Order.
  7965. This field will be populated after the order has been successfully
  7966. finalized with the ACME server, and the order has transitioned to the
  7967. 'valid' state.
  7968. type: string
  7969. format: byte
  7970. failureTime:
  7971. description: |-
  7972. FailureTime stores the time that this order failed.
  7973. This is used to influence garbage collection and back-off.
  7974. type: string
  7975. format: date-time
  7976. finalizeURL:
  7977. description: |-
  7978. FinalizeURL of the Order.
  7979. This is used to obtain certificates for this order once it has been completed.
  7980. type: string
  7981. reason:
  7982. description: |-
  7983. Reason optionally provides more information about a why the order is in
  7984. the current state.
  7985. type: string
  7986. state:
  7987. description: |-
  7988. State contains the current state of this Order resource.
  7989. States 'success' and 'expired' are 'final'
  7990. type: string
  7991. enum:
  7992. - valid
  7993. - ready
  7994. - pending
  7995. - processing
  7996. - invalid
  7997. - expired
  7998. - errored
  7999. url:
  8000. description: |-
  8001. URL of the Order.
  8002. This will initially be empty when the resource is first created.
  8003. The Order controller will populate this field when the Order is first processed.
  8004. This field will be immutable after it is initially set.
  8005. type: string
  8006. served: true
  8007. storage: true
  8008. # END crd
  8009. ---
  8010. # Source: cert-manager/templates/cainjector-serviceaccount.yaml
  8011. apiVersion: v1
  8012. kind: ServiceAccount
  8013. automountServiceAccountToken: true
  8014. metadata:
  8015. name: cert-manager-cainjector
  8016. namespace: obs-operator
  8017. labels:
  8018. app: cainjector
  8019. app.kubernetes.io/name: cainjector
  8020. app.kubernetes.io/instance: cert-manager
  8021. app.kubernetes.io/component: "cainjector"
  8022. app.kubernetes.io/version: "v1.15.2"
  8023. ---
  8024. # Source: cert-manager/templates/serviceaccount.yaml
  8025. apiVersion: v1
  8026. kind: ServiceAccount
  8027. automountServiceAccountToken: true
  8028. metadata:
  8029. name: cert-manager
  8030. namespace: obs-operator
  8031. labels:
  8032. app: cert-manager
  8033. app.kubernetes.io/name: cert-manager
  8034. app.kubernetes.io/instance: cert-manager
  8035. app.kubernetes.io/component: "controller"
  8036. app.kubernetes.io/version: "v1.15.2"
  8037. ---
  8038. # Source: cert-manager/templates/webhook-serviceaccount.yaml
  8039. apiVersion: v1
  8040. kind: ServiceAccount
  8041. automountServiceAccountToken: true
  8042. metadata:
  8043. name: cert-manager-webhook
  8044. namespace: obs-operator
  8045. labels:
  8046. app: webhook
  8047. app.kubernetes.io/name: webhook
  8048. app.kubernetes.io/instance: cert-manager
  8049. app.kubernetes.io/component: "webhook"
  8050. app.kubernetes.io/version: "v1.15.2"
  8051. ---
  8052. # Source: cert-manager/templates/cainjector-rbac.yaml
  8053. apiVersion: rbac.authorization.k8s.io/v1
  8054. kind: ClusterRole
  8055. metadata:
  8056. name: cert-manager-cainjector
  8057. labels:
  8058. app: cainjector
  8059. app.kubernetes.io/name: cainjector
  8060. app.kubernetes.io/instance: cert-manager
  8061. app.kubernetes.io/component: "cainjector"
  8062. app.kubernetes.io/version: "v1.15.2"
  8063. rules:
  8064. - apiGroups: ["cert-manager.io"]
  8065. resources: ["certificates"]
  8066. verbs: ["get", "list", "watch"]
  8067. - apiGroups: [""]
  8068. resources: ["secrets"]
  8069. verbs: ["get", "list", "watch"]
  8070. - apiGroups: [""]
  8071. resources: ["events"]
  8072. verbs: ["get", "create", "update", "patch"]
  8073. - apiGroups: ["admissionregistration.k8s.io"]
  8074. resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
  8075. verbs: ["get", "list", "watch", "update", "patch"]
  8076. - apiGroups: ["apiregistration.k8s.io"]
  8077. resources: ["apiservices"]
  8078. verbs: ["get", "list", "watch", "update", "patch"]
  8079. - apiGroups: ["apiextensions.k8s.io"]
  8080. resources: ["customresourcedefinitions"]
  8081. verbs: ["get", "list", "watch", "update", "patch"]
  8082. ---
  8083. # Source: cert-manager/templates/rbac.yaml
  8084. # Issuer controller role
  8085. apiVersion: rbac.authorization.k8s.io/v1
  8086. kind: ClusterRole
  8087. metadata:
  8088. name: cert-manager-controller-issuers
  8089. labels:
  8090. app: cert-manager
  8091. app.kubernetes.io/name: cert-manager
  8092. app.kubernetes.io/instance: cert-manager
  8093. app.kubernetes.io/component: "controller"
  8094. app.kubernetes.io/version: "v1.15.2"
  8095. rules:
  8096. - apiGroups: ["cert-manager.io"]
  8097. resources: ["issuers", "issuers/status"]
  8098. verbs: ["update", "patch"]
  8099. - apiGroups: ["cert-manager.io"]
  8100. resources: ["issuers"]
  8101. verbs: ["get", "list", "watch"]
  8102. - apiGroups: [""]
  8103. resources: ["secrets"]
  8104. verbs: ["get", "list", "watch", "create", "update", "delete"]
  8105. - apiGroups: [""]
  8106. resources: ["events"]
  8107. verbs: ["create", "patch"]
  8108. ---
  8109. # Source: cert-manager/templates/rbac.yaml
  8110. # ClusterIssuer controller role
  8111. apiVersion: rbac.authorization.k8s.io/v1
  8112. kind: ClusterRole
  8113. metadata:
  8114. name: cert-manager-controller-clusterissuers
  8115. labels:
  8116. app: cert-manager
  8117. app.kubernetes.io/name: cert-manager
  8118. app.kubernetes.io/instance: cert-manager
  8119. app.kubernetes.io/component: "controller"
  8120. app.kubernetes.io/version: "v1.15.2"
  8121. rules:
  8122. - apiGroups: ["cert-manager.io"]
  8123. resources: ["clusterissuers", "clusterissuers/status"]
  8124. verbs: ["update", "patch"]
  8125. - apiGroups: ["cert-manager.io"]
  8126. resources: ["clusterissuers"]
  8127. verbs: ["get", "list", "watch"]
  8128. - apiGroups: [""]
  8129. resources: ["secrets"]
  8130. verbs: ["get", "list", "watch", "create", "update", "delete"]
  8131. - apiGroups: [""]
  8132. resources: ["events"]
  8133. verbs: ["create", "patch"]
  8134. ---
  8135. # Source: cert-manager/templates/rbac.yaml
  8136. # Certificates controller role
  8137. apiVersion: rbac.authorization.k8s.io/v1
  8138. kind: ClusterRole
  8139. metadata:
  8140. name: cert-manager-controller-certificates
  8141. labels:
  8142. app: cert-manager
  8143. app.kubernetes.io/name: cert-manager
  8144. app.kubernetes.io/instance: cert-manager
  8145. app.kubernetes.io/component: "controller"
  8146. app.kubernetes.io/version: "v1.15.2"
  8147. rules:
  8148. - apiGroups: ["cert-manager.io"]
  8149. resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
  8150. verbs: ["update", "patch"]
  8151. - apiGroups: ["cert-manager.io"]
  8152. resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
  8153. verbs: ["get", "list", "watch"]
  8154. # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  8155. # admission controller enabled:
  8156. # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  8157. - apiGroups: ["cert-manager.io"]
  8158. resources: ["certificates/finalizers", "certificaterequests/finalizers"]
  8159. verbs: ["update"]
  8160. - apiGroups: ["acme.cert-manager.io"]
  8161. resources: ["orders"]
  8162. verbs: ["create", "delete", "get", "list", "watch"]
  8163. - apiGroups: [""]
  8164. resources: ["secrets"]
  8165. verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
  8166. - apiGroups: [""]
  8167. resources: ["events"]
  8168. verbs: ["create", "patch"]
  8169. ---
  8170. # Source: cert-manager/templates/rbac.yaml
  8171. # Orders controller role
  8172. apiVersion: rbac.authorization.k8s.io/v1
  8173. kind: ClusterRole
  8174. metadata:
  8175. name: cert-manager-controller-orders
  8176. labels:
  8177. app: cert-manager
  8178. app.kubernetes.io/name: cert-manager
  8179. app.kubernetes.io/instance: cert-manager
  8180. app.kubernetes.io/component: "controller"
  8181. app.kubernetes.io/version: "v1.15.2"
  8182. rules:
  8183. - apiGroups: ["acme.cert-manager.io"]
  8184. resources: ["orders", "orders/status"]
  8185. verbs: ["update", "patch"]
  8186. - apiGroups: ["acme.cert-manager.io"]
  8187. resources: ["orders", "challenges"]
  8188. verbs: ["get", "list", "watch"]
  8189. - apiGroups: ["cert-manager.io"]
  8190. resources: ["clusterissuers", "issuers"]
  8191. verbs: ["get", "list", "watch"]
  8192. - apiGroups: ["acme.cert-manager.io"]
  8193. resources: ["challenges"]
  8194. verbs: ["create", "delete"]
  8195. # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  8196. # admission controller enabled:
  8197. # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  8198. - apiGroups: ["acme.cert-manager.io"]
  8199. resources: ["orders/finalizers"]
  8200. verbs: ["update"]
  8201. - apiGroups: [""]
  8202. resources: ["secrets"]
  8203. verbs: ["get", "list", "watch"]
  8204. - apiGroups: [""]
  8205. resources: ["events"]
  8206. verbs: ["create", "patch"]
  8207. ---
  8208. # Source: cert-manager/templates/rbac.yaml
  8209. # Challenges controller role
  8210. apiVersion: rbac.authorization.k8s.io/v1
  8211. kind: ClusterRole
  8212. metadata:
  8213. name: cert-manager-controller-challenges
  8214. labels:
  8215. app: cert-manager
  8216. app.kubernetes.io/name: cert-manager
  8217. app.kubernetes.io/instance: cert-manager
  8218. app.kubernetes.io/component: "controller"
  8219. app.kubernetes.io/version: "v1.15.2"
  8220. rules:
  8221. # Use to update challenge resource status
  8222. - apiGroups: ["acme.cert-manager.io"]
  8223. resources: ["challenges", "challenges/status"]
  8224. verbs: ["update", "patch"]
  8225. # Used to watch challenge resources
  8226. - apiGroups: ["acme.cert-manager.io"]
  8227. resources: ["challenges"]
  8228. verbs: ["get", "list", "watch"]
  8229. # Used to watch challenges, issuer and clusterissuer resources
  8230. - apiGroups: ["cert-manager.io"]
  8231. resources: ["issuers", "clusterissuers"]
  8232. verbs: ["get", "list", "watch"]
  8233. # Need to be able to retrieve ACME account private key to complete challenges
  8234. - apiGroups: [""]
  8235. resources: ["secrets"]
  8236. verbs: ["get", "list", "watch"]
  8237. # Used to create events
  8238. - apiGroups: [""]
  8239. resources: ["events"]
  8240. verbs: ["create", "patch"]
  8241. # HTTP01 rules
  8242. - apiGroups: [""]
  8243. resources: ["pods", "services"]
  8244. verbs: ["get", "list", "watch", "create", "delete"]
  8245. - apiGroups: ["networking.k8s.io"]
  8246. resources: ["ingresses"]
  8247. verbs: ["get", "list", "watch", "create", "delete", "update"]
  8248. - apiGroups: [ "gateway.networking.k8s.io" ]
  8249. resources: [ "httproutes" ]
  8250. verbs: ["get", "list", "watch", "create", "delete", "update"]
  8251. # We require the ability to specify a custom hostname when we are creating
  8252. # new ingress resources.
  8253. # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
  8254. - apiGroups: ["route.openshift.io"]
  8255. resources: ["routes/custom-host"]
  8256. verbs: ["create"]
  8257. # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  8258. # admission controller enabled:
  8259. # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  8260. - apiGroups: ["acme.cert-manager.io"]
  8261. resources: ["challenges/finalizers"]
  8262. verbs: ["update"]
  8263. # DNS01 rules (duplicated above)
  8264. - apiGroups: [""]
  8265. resources: ["secrets"]
  8266. verbs: ["get", "list", "watch"]
  8267. ---
  8268. # Source: cert-manager/templates/rbac.yaml
  8269. # ingress-shim controller role
  8270. apiVersion: rbac.authorization.k8s.io/v1
  8271. kind: ClusterRole
  8272. metadata:
  8273. name: cert-manager-controller-ingress-shim
  8274. labels:
  8275. app: cert-manager
  8276. app.kubernetes.io/name: cert-manager
  8277. app.kubernetes.io/instance: cert-manager
  8278. app.kubernetes.io/component: "controller"
  8279. app.kubernetes.io/version: "v1.15.2"
  8280. rules:
  8281. - apiGroups: ["cert-manager.io"]
  8282. resources: ["certificates", "certificaterequests"]
  8283. verbs: ["create", "update", "delete"]
  8284. - apiGroups: ["cert-manager.io"]
  8285. resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
  8286. verbs: ["get", "list", "watch"]
  8287. - apiGroups: ["networking.k8s.io"]
  8288. resources: ["ingresses"]
  8289. verbs: ["get", "list", "watch"]
  8290. # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  8291. # admission controller enabled:
  8292. # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  8293. - apiGroups: ["networking.k8s.io"]
  8294. resources: ["ingresses/finalizers"]
  8295. verbs: ["update"]
  8296. - apiGroups: ["gateway.networking.k8s.io"]
  8297. resources: ["gateways", "httproutes"]
  8298. verbs: ["get", "list", "watch"]
  8299. - apiGroups: ["gateway.networking.k8s.io"]
  8300. resources: ["gateways/finalizers", "httproutes/finalizers"]
  8301. verbs: ["update"]
  8302. - apiGroups: [""]
  8303. resources: ["events"]
  8304. verbs: ["create", "patch"]
  8305. ---
  8306. # Source: cert-manager/templates/rbac.yaml
  8307. apiVersion: rbac.authorization.k8s.io/v1
  8308. kind: ClusterRole
  8309. metadata:
  8310. name: cert-manager-cluster-view
  8311. labels:
  8312. app: cert-manager
  8313. app.kubernetes.io/name: cert-manager
  8314. app.kubernetes.io/instance: cert-manager
  8315. app.kubernetes.io/component: "controller"
  8316. app.kubernetes.io/version: "v1.15.2"
  8317. rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
  8318. rules:
  8319. - apiGroups: ["cert-manager.io"]
  8320. resources: ["clusterissuers"]
  8321. verbs: ["get", "list", "watch"]
  8322. ---
  8323. # Source: cert-manager/templates/rbac.yaml
  8324. apiVersion: rbac.authorization.k8s.io/v1
  8325. kind: ClusterRole
  8326. metadata:
  8327. name: cert-manager-view
  8328. labels:
  8329. app: cert-manager
  8330. app.kubernetes.io/name: cert-manager
  8331. app.kubernetes.io/instance: cert-manager
  8332. app.kubernetes.io/component: "controller"
  8333. app.kubernetes.io/version: "v1.15.2"
  8334. rbac.authorization.k8s.io/aggregate-to-view: "true"
  8335. rbac.authorization.k8s.io/aggregate-to-edit: "true"
  8336. rbac.authorization.k8s.io/aggregate-to-admin: "true"
  8337. rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
  8338. rules:
  8339. - apiGroups: ["cert-manager.io"]
  8340. resources: ["certificates", "certificaterequests", "issuers"]
  8341. verbs: ["get", "list", "watch"]
  8342. - apiGroups: ["acme.cert-manager.io"]
  8343. resources: ["challenges", "orders"]
  8344. verbs: ["get", "list", "watch"]
  8345. ---
  8346. # Source: cert-manager/templates/rbac.yaml
  8347. apiVersion: rbac.authorization.k8s.io/v1
  8348. kind: ClusterRole
  8349. metadata:
  8350. name: cert-manager-edit
  8351. labels:
  8352. app: cert-manager
  8353. app.kubernetes.io/name: cert-manager
  8354. app.kubernetes.io/instance: cert-manager
  8355. app.kubernetes.io/component: "controller"
  8356. app.kubernetes.io/version: "v1.15.2"
  8357. rbac.authorization.k8s.io/aggregate-to-edit: "true"
  8358. rbac.authorization.k8s.io/aggregate-to-admin: "true"
  8359. rules:
  8360. - apiGroups: ["cert-manager.io"]
  8361. resources: ["certificates", "certificaterequests", "issuers"]
  8362. verbs: ["create", "delete", "deletecollection", "patch", "update"]
  8363. - apiGroups: ["cert-manager.io"]
  8364. resources: ["certificates/status"]
  8365. verbs: ["update"]
  8366. - apiGroups: ["acme.cert-manager.io"]
  8367. resources: ["challenges", "orders"]
  8368. verbs: ["create", "delete", "deletecollection", "patch", "update"]
  8369. ---
  8370. # Source: cert-manager/templates/rbac.yaml
  8371. # Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
  8372. apiVersion: rbac.authorization.k8s.io/v1
  8373. kind: ClusterRole
  8374. metadata:
  8375. name: cert-manager-controller-approve:cert-manager-io
  8376. labels:
  8377. app: cert-manager
  8378. app.kubernetes.io/name: cert-manager
  8379. app.kubernetes.io/instance: cert-manager
  8380. app.kubernetes.io/component: "cert-manager"
  8381. app.kubernetes.io/version: "v1.15.2"
  8382. rules:
  8383. - apiGroups: ["cert-manager.io"]
  8384. resources: ["signers"]
  8385. verbs: ["approve"]
  8386. resourceNames:
  8387. - "issuers.cert-manager.io/*"
  8388. - "clusterissuers.cert-manager.io/*"
  8389. ---
  8390. # Source: cert-manager/templates/rbac.yaml
  8391. # Permission to:
  8392. # - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers
  8393. # - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
  8394. apiVersion: rbac.authorization.k8s.io/v1
  8395. kind: ClusterRole
  8396. metadata:
  8397. name: cert-manager-controller-certificatesigningrequests
  8398. labels:
  8399. app: cert-manager
  8400. app.kubernetes.io/name: cert-manager
  8401. app.kubernetes.io/instance: cert-manager
  8402. app.kubernetes.io/component: "cert-manager"
  8403. app.kubernetes.io/version: "v1.15.2"
  8404. rules:
  8405. - apiGroups: ["certificates.k8s.io"]
  8406. resources: ["certificatesigningrequests"]
  8407. verbs: ["get", "list", "watch", "update"]
  8408. - apiGroups: ["certificates.k8s.io"]
  8409. resources: ["certificatesigningrequests/status"]
  8410. verbs: ["update", "patch"]
  8411. - apiGroups: ["certificates.k8s.io"]
  8412. resources: ["signers"]
  8413. resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
  8414. verbs: ["sign"]
  8415. - apiGroups: ["authorization.k8s.io"]
  8416. resources: ["subjectaccessreviews"]
  8417. verbs: ["create"]
  8418. ---
  8419. # Source: cert-manager/templates/webhook-rbac.yaml
  8420. apiVersion: rbac.authorization.k8s.io/v1
  8421. kind: ClusterRole
  8422. metadata:
  8423. name: cert-manager-webhook:subjectaccessreviews
  8424. labels:
  8425. app: webhook
  8426. app.kubernetes.io/name: webhook
  8427. app.kubernetes.io/instance: cert-manager
  8428. app.kubernetes.io/component: "webhook"
  8429. app.kubernetes.io/version: "v1.15.2"
  8430. rules:
  8431. - apiGroups: ["authorization.k8s.io"]
  8432. resources: ["subjectaccessreviews"]
  8433. verbs: ["create"]
  8434. ---
  8435. # Source: cert-manager/templates/cainjector-rbac.yaml
  8436. apiVersion: rbac.authorization.k8s.io/v1
  8437. kind: ClusterRoleBinding
  8438. metadata:
  8439. name: cert-manager-cainjector
  8440. labels:
  8441. app: cainjector
  8442. app.kubernetes.io/name: cainjector
  8443. app.kubernetes.io/instance: cert-manager
  8444. app.kubernetes.io/component: "cainjector"
  8445. app.kubernetes.io/version: "v1.15.2"
  8446. roleRef:
  8447. apiGroup: rbac.authorization.k8s.io
  8448. kind: ClusterRole
  8449. name: cert-manager-cainjector
  8450. subjects:
  8451. - name: cert-manager-cainjector
  8452. namespace: obs-operator
  8453. kind: ServiceAccount
  8454. ---
  8455. # Source: cert-manager/templates/rbac.yaml
  8456. apiVersion: rbac.authorization.k8s.io/v1
  8457. kind: ClusterRoleBinding
  8458. metadata:
  8459. name: cert-manager-controller-issuers
  8460. labels:
  8461. app: cert-manager
  8462. app.kubernetes.io/name: cert-manager
  8463. app.kubernetes.io/instance: cert-manager
  8464. app.kubernetes.io/component: "controller"
  8465. app.kubernetes.io/version: "v1.15.2"
  8466. roleRef:
  8467. apiGroup: rbac.authorization.k8s.io
  8468. kind: ClusterRole
  8469. name: cert-manager-controller-issuers
  8470. subjects:
  8471. - name: cert-manager
  8472. namespace: obs-operator
  8473. kind: ServiceAccount
  8474. ---
  8475. # Source: cert-manager/templates/rbac.yaml
  8476. apiVersion: rbac.authorization.k8s.io/v1
  8477. kind: ClusterRoleBinding
  8478. metadata:
  8479. name: cert-manager-controller-clusterissuers
  8480. labels:
  8481. app: cert-manager
  8482. app.kubernetes.io/name: cert-manager
  8483. app.kubernetes.io/instance: cert-manager
  8484. app.kubernetes.io/component: "controller"
  8485. app.kubernetes.io/version: "v1.15.2"
  8486. roleRef:
  8487. apiGroup: rbac.authorization.k8s.io
  8488. kind: ClusterRole
  8489. name: cert-manager-controller-clusterissuers
  8490. subjects:
  8491. - name: cert-manager
  8492. namespace: obs-operator
  8493. kind: ServiceAccount
  8494. ---
  8495. # Source: cert-manager/templates/rbac.yaml
  8496. apiVersion: rbac.authorization.k8s.io/v1
  8497. kind: ClusterRoleBinding
  8498. metadata:
  8499. name: cert-manager-controller-certificates
  8500. labels:
  8501. app: cert-manager
  8502. app.kubernetes.io/name: cert-manager
  8503. app.kubernetes.io/instance: cert-manager
  8504. app.kubernetes.io/component: "controller"
  8505. app.kubernetes.io/version: "v1.15.2"
  8506. roleRef:
  8507. apiGroup: rbac.authorization.k8s.io
  8508. kind: ClusterRole
  8509. name: cert-manager-controller-certificates
  8510. subjects:
  8511. - name: cert-manager
  8512. namespace: obs-operator
  8513. kind: ServiceAccount
  8514. ---
  8515. # Source: cert-manager/templates/rbac.yaml
  8516. apiVersion: rbac.authorization.k8s.io/v1
  8517. kind: ClusterRoleBinding
  8518. metadata:
  8519. name: cert-manager-controller-orders
  8520. labels:
  8521. app: cert-manager
  8522. app.kubernetes.io/name: cert-manager
  8523. app.kubernetes.io/instance: cert-manager
  8524. app.kubernetes.io/component: "controller"
  8525. app.kubernetes.io/version: "v1.15.2"
  8526. roleRef:
  8527. apiGroup: rbac.authorization.k8s.io
  8528. kind: ClusterRole
  8529. name: cert-manager-controller-orders
  8530. subjects:
  8531. - name: cert-manager
  8532. namespace: obs-operator
  8533. kind: ServiceAccount
  8534. ---
  8535. # Source: cert-manager/templates/rbac.yaml
  8536. apiVersion: rbac.authorization.k8s.io/v1
  8537. kind: ClusterRoleBinding
  8538. metadata:
  8539. name: cert-manager-controller-challenges
  8540. labels:
  8541. app: cert-manager
  8542. app.kubernetes.io/name: cert-manager
  8543. app.kubernetes.io/instance: cert-manager
  8544. app.kubernetes.io/component: "controller"
  8545. app.kubernetes.io/version: "v1.15.2"
  8546. roleRef:
  8547. apiGroup: rbac.authorization.k8s.io
  8548. kind: ClusterRole
  8549. name: cert-manager-controller-challenges
  8550. subjects:
  8551. - name: cert-manager
  8552. namespace: obs-operator
  8553. kind: ServiceAccount
  8554. ---
  8555. # Source: cert-manager/templates/rbac.yaml
  8556. apiVersion: rbac.authorization.k8s.io/v1
  8557. kind: ClusterRoleBinding
  8558. metadata:
  8559. name: cert-manager-controller-ingress-shim
  8560. labels:
  8561. app: cert-manager
  8562. app.kubernetes.io/name: cert-manager
  8563. app.kubernetes.io/instance: cert-manager
  8564. app.kubernetes.io/component: "controller"
  8565. app.kubernetes.io/version: "v1.15.2"
  8566. roleRef:
  8567. apiGroup: rbac.authorization.k8s.io
  8568. kind: ClusterRole
  8569. name: cert-manager-controller-ingress-shim
  8570. subjects:
  8571. - name: cert-manager
  8572. namespace: obs-operator
  8573. kind: ServiceAccount
  8574. ---
  8575. # Source: cert-manager/templates/rbac.yaml
  8576. apiVersion: rbac.authorization.k8s.io/v1
  8577. kind: ClusterRoleBinding
  8578. metadata:
  8579. name: cert-manager-controller-approve:cert-manager-io
  8580. labels:
  8581. app: cert-manager
  8582. app.kubernetes.io/name: cert-manager
  8583. app.kubernetes.io/instance: cert-manager
  8584. app.kubernetes.io/component: "cert-manager"
  8585. app.kubernetes.io/version: "v1.15.2"
  8586. roleRef:
  8587. apiGroup: rbac.authorization.k8s.io
  8588. kind: ClusterRole
  8589. name: cert-manager-controller-approve:cert-manager-io
  8590. subjects:
  8591. - name: cert-manager
  8592. namespace: obs-operator
  8593. kind: ServiceAccount
  8594. ---
  8595. # Source: cert-manager/templates/rbac.yaml
  8596. apiVersion: rbac.authorization.k8s.io/v1
  8597. kind: ClusterRoleBinding
  8598. metadata:
  8599. name: cert-manager-controller-certificatesigningrequests
  8600. labels:
  8601. app: cert-manager
  8602. app.kubernetes.io/name: cert-manager
  8603. app.kubernetes.io/instance: cert-manager
  8604. app.kubernetes.io/component: "cert-manager"
  8605. app.kubernetes.io/version: "v1.15.2"
  8606. roleRef:
  8607. apiGroup: rbac.authorization.k8s.io
  8608. kind: ClusterRole
  8609. name: cert-manager-controller-certificatesigningrequests
  8610. subjects:
  8611. - name: cert-manager
  8612. namespace: obs-operator
  8613. kind: ServiceAccount
  8614. ---
  8615. # Source: cert-manager/templates/webhook-rbac.yaml
  8616. apiVersion: rbac.authorization.k8s.io/v1
  8617. kind: ClusterRoleBinding
  8618. metadata:
  8619. name: cert-manager-webhook:subjectaccessreviews
  8620. labels:
  8621. app: webhook
  8622. app.kubernetes.io/name: webhook
  8623. app.kubernetes.io/instance: cert-manager
  8624. app.kubernetes.io/component: "webhook"
  8625. app.kubernetes.io/version: "v1.15.2"
  8626. roleRef:
  8627. apiGroup: rbac.authorization.k8s.io
  8628. kind: ClusterRole
  8629. name: cert-manager-webhook:subjectaccessreviews
  8630. subjects:
  8631. - apiGroup: ""
  8632. kind: ServiceAccount
  8633. name: cert-manager-webhook
  8634. namespace: obs-operator
  8635. ---
  8636. # Source: cert-manager/templates/cainjector-rbac.yaml
  8637. # leader election rules
  8638. apiVersion: rbac.authorization.k8s.io/v1
  8639. kind: Role
  8640. metadata:
  8641. name: cert-manager-cainjector:leaderelection
  8642. namespace: kube-system
  8643. labels:
  8644. app: cainjector
  8645. app.kubernetes.io/name: cainjector
  8646. app.kubernetes.io/instance: cert-manager
  8647. app.kubernetes.io/component: "cainjector"
  8648. app.kubernetes.io/version: "v1.15.2"
  8649. rules:
  8650. # Used for leader election by the controller
  8651. # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
  8652. # see cmd/cainjector/start.go#L113
  8653. # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
  8654. # see cmd/cainjector/start.go#L137
  8655. - apiGroups: ["coordination.k8s.io"]
  8656. resources: ["leases"]
  8657. resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
  8658. verbs: ["get", "update", "patch"]
  8659. - apiGroups: ["coordination.k8s.io"]
  8660. resources: ["leases"]
  8661. verbs: ["create"]
  8662. ---
  8663. # Source: cert-manager/templates/rbac.yaml
  8664. apiVersion: rbac.authorization.k8s.io/v1
  8665. kind: Role
  8666. metadata:
  8667. name: cert-manager:leaderelection
  8668. namespace: kube-system
  8669. labels:
  8670. app: cert-manager
  8671. app.kubernetes.io/name: cert-manager
  8672. app.kubernetes.io/instance: cert-manager
  8673. app.kubernetes.io/component: "controller"
  8674. app.kubernetes.io/version: "v1.15.2"
  8675. rules:
  8676. - apiGroups: ["coordination.k8s.io"]
  8677. resources: ["leases"]
  8678. resourceNames: ["cert-manager-controller"]
  8679. verbs: ["get", "update", "patch"]
  8680. - apiGroups: ["coordination.k8s.io"]
  8681. resources: ["leases"]
  8682. verbs: ["create"]
  8683. ---
  8684. # Source: cert-manager/templates/webhook-rbac.yaml
  8685. apiVersion: rbac.authorization.k8s.io/v1
  8686. kind: Role
  8687. metadata:
  8688. name: cert-manager-webhook:dynamic-serving
  8689. namespace: obs-operator
  8690. labels:
  8691. app: webhook
  8692. app.kubernetes.io/name: webhook
  8693. app.kubernetes.io/instance: cert-manager
  8694. app.kubernetes.io/component: "webhook"
  8695. app.kubernetes.io/version: "v1.15.2"
  8696. rules:
  8697. - apiGroups: [""]
  8698. resources: ["secrets"]
  8699. resourceNames:
  8700. - 'cert-manager-webhook-ca'
  8701. verbs: ["get", "list", "watch", "update"]
  8702. # It's not possible to grant CREATE permission on a single resourceName.
  8703. - apiGroups: [""]
  8704. resources: ["secrets"]
  8705. verbs: ["create"]
  8706. ---
  8707. # Source: cert-manager/templates/cainjector-rbac.yaml
  8708. # grant cert-manager permission to manage the leaderelection configmap in the
  8709. # leader election namespace
  8710. apiVersion: rbac.authorization.k8s.io/v1
  8711. kind: RoleBinding
  8712. metadata:
  8713. name: cert-manager-cainjector:leaderelection
  8714. namespace: kube-system
  8715. labels:
  8716. app: cainjector
  8717. app.kubernetes.io/name: cainjector
  8718. app.kubernetes.io/instance: cert-manager
  8719. app.kubernetes.io/component: "cainjector"
  8720. app.kubernetes.io/version: "v1.15.2"
  8721. roleRef:
  8722. apiGroup: rbac.authorization.k8s.io
  8723. kind: Role
  8724. name: cert-manager-cainjector:leaderelection
  8725. subjects:
  8726. - kind: ServiceAccount
  8727. name: cert-manager-cainjector
  8728. namespace: obs-operator
  8729. ---
  8730. # Source: cert-manager/templates/rbac.yaml
  8731. # grant cert-manager permission to manage the leaderelection configmap in the
  8732. # leader election namespace
  8733. apiVersion: rbac.authorization.k8s.io/v1
  8734. kind: RoleBinding
  8735. metadata:
  8736. name: cert-manager:leaderelection
  8737. namespace: kube-system
  8738. labels:
  8739. app: cert-manager
  8740. app.kubernetes.io/name: cert-manager
  8741. app.kubernetes.io/instance: cert-manager
  8742. app.kubernetes.io/component: "controller"
  8743. app.kubernetes.io/version: "v1.15.2"
  8744. roleRef:
  8745. apiGroup: rbac.authorization.k8s.io
  8746. kind: Role
  8747. name: cert-manager:leaderelection
  8748. subjects:
  8749. - apiGroup: ""
  8750. kind: ServiceAccount
  8751. name: cert-manager
  8752. namespace: obs-operator
  8753. ---
  8754. # Source: cert-manager/templates/webhook-rbac.yaml
  8755. apiVersion: rbac.authorization.k8s.io/v1
  8756. kind: RoleBinding
  8757. metadata:
  8758. name: cert-manager-webhook:dynamic-serving
  8759. namespace: obs-operator
  8760. labels:
  8761. app: webhook
  8762. app.kubernetes.io/name: webhook
  8763. app.kubernetes.io/instance: cert-manager
  8764. app.kubernetes.io/component: "webhook"
  8765. app.kubernetes.io/version: "v1.15.2"
  8766. roleRef:
  8767. apiGroup: rbac.authorization.k8s.io
  8768. kind: Role
  8769. name: cert-manager-webhook:dynamic-serving
  8770. subjects:
  8771. - apiGroup: ""
  8772. kind: ServiceAccount
  8773. name: cert-manager-webhook
  8774. namespace: obs-operator
  8775. ---
  8776. # Source: cert-manager/templates/service.yaml
  8777. apiVersion: v1
  8778. kind: Service
  8779. metadata:
  8780. name: cert-manager
  8781. namespace: obs-operator
  8782. labels:
  8783. app: cert-manager
  8784. app.kubernetes.io/name: cert-manager
  8785. app.kubernetes.io/instance: cert-manager
  8786. app.kubernetes.io/component: "controller"
  8787. app.kubernetes.io/version: "v1.15.2"
  8788. spec:
  8789. type: ClusterIP
  8790. ports:
  8791. - protocol: TCP
  8792. port: 9402
  8793. name: tcp-prometheus-servicemonitor
  8794. targetPort: 9402
  8795. selector:
  8796. app.kubernetes.io/name: cert-manager
  8797. app.kubernetes.io/instance: cert-manager
  8798. app.kubernetes.io/component: "controller"
  8799. ---
  8800. # Source: cert-manager/templates/webhook-service.yaml
  8801. apiVersion: v1
  8802. kind: Service
  8803. metadata:
  8804. name: cert-manager-webhook
  8805. namespace: obs-operator
  8806. labels:
  8807. app: webhook
  8808. app.kubernetes.io/name: webhook
  8809. app.kubernetes.io/instance: cert-manager
  8810. app.kubernetes.io/component: "webhook"
  8811. app.kubernetes.io/version: "v1.15.2"
  8812. spec:
  8813. type: ClusterIP
  8814. ports:
  8815. - name: https
  8816. port: 443
  8817. protocol: TCP
  8818. targetPort: "https"
  8819. selector:
  8820. app.kubernetes.io/name: webhook
  8821. app.kubernetes.io/instance: cert-manager
  8822. app.kubernetes.io/component: "webhook"
  8823. ---
  8824. # Source: cert-manager/templates/cainjector-deployment.yaml
  8825. apiVersion: apps/v1
  8826. kind: Deployment
  8827. metadata:
  8828. name: cert-manager-cainjector
  8829. namespace: obs-operator
  8830. labels:
  8831. app: cainjector
  8832. app.kubernetes.io/name: cainjector
  8833. app.kubernetes.io/instance: cert-manager
  8834. app.kubernetes.io/component: "cainjector"
  8835. app.kubernetes.io/version: "v1.15.2"
  8836. spec:
  8837. replicas: 1
  8838. selector:
  8839. matchLabels:
  8840. app.kubernetes.io/name: cainjector
  8841. app.kubernetes.io/instance: cert-manager
  8842. app.kubernetes.io/component: "cainjector"
  8843. template:
  8844. metadata:
  8845. labels:
  8846. app: cainjector
  8847. app.kubernetes.io/name: cainjector
  8848. app.kubernetes.io/instance: cert-manager
  8849. app.kubernetes.io/component: "cainjector"
  8850. app.kubernetes.io/version: "v1.15.2"
  8851. spec:
  8852. serviceAccountName: cert-manager-cainjector
  8853. enableServiceLinks: false
  8854. securityContext:
  8855. runAsNonRoot: true
  8856. seccompProfile:
  8857. type: RuntimeDefault
  8858. containers:
  8859. - name: cert-manager-cainjector
  8860. image: "quay.io/jetstack/cert-manager-cainjector:v1.15.2"
  8861. imagePullPolicy: IfNotPresent
  8862. args:
  8863. - --v=2
  8864. - --leader-election-namespace=kube-system
  8865. env:
  8866. - name: POD_NAMESPACE
  8867. valueFrom:
  8868. fieldRef:
  8869. fieldPath: metadata.namespace
  8870. securityContext:
  8871. allowPrivilegeEscalation: false
  8872. capabilities:
  8873. drop:
  8874. - ALL
  8875. readOnlyRootFilesystem: true
  8876. nodeSelector:
  8877. kubernetes.io/os: linux
  8878. ---
  8879. # Source: cert-manager/templates/deployment.yaml
  8880. apiVersion: apps/v1
  8881. kind: Deployment
  8882. metadata:
  8883. name: cert-manager
  8884. namespace: obs-operator
  8885. labels:
  8886. app: cert-manager
  8887. app.kubernetes.io/name: cert-manager
  8888. app.kubernetes.io/instance: cert-manager
  8889. app.kubernetes.io/component: "controller"
  8890. app.kubernetes.io/version: "v1.15.2"
  8891. spec:
  8892. replicas: 1
  8893. selector:
  8894. matchLabels:
  8895. app.kubernetes.io/name: cert-manager
  8896. app.kubernetes.io/instance: cert-manager
  8897. app.kubernetes.io/component: "controller"
  8898. template:
  8899. metadata:
  8900. labels:
  8901. app: cert-manager
  8902. app.kubernetes.io/name: cert-manager
  8903. app.kubernetes.io/instance: cert-manager
  8904. app.kubernetes.io/component: "controller"
  8905. app.kubernetes.io/version: "v1.15.2"
  8906. annotations:
  8907. prometheus.io/path: "/metrics"
  8908. prometheus.io/scrape: 'true'
  8909. prometheus.io/port: '9402'
  8910. spec:
  8911. serviceAccountName: cert-manager
  8912. enableServiceLinks: false
  8913. securityContext:
  8914. runAsNonRoot: true
  8915. seccompProfile:
  8916. type: RuntimeDefault
  8917. containers:
  8918. - name: cert-manager-controller
  8919. image: "quay.io/jetstack/cert-manager-controller:v1.15.2"
  8920. imagePullPolicy: IfNotPresent
  8921. args:
  8922. - --v=2
  8923. - --cluster-resource-namespace=$(POD_NAMESPACE)
  8924. - --leader-election-namespace=kube-system
  8925. - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.15.2
  8926. - --max-concurrent-challenges=60
  8927. ports:
  8928. - containerPort: 9402
  8929. name: http-metrics
  8930. protocol: TCP
  8931. - containerPort: 9403
  8932. name: http-healthz
  8933. protocol: TCP
  8934. securityContext:
  8935. allowPrivilegeEscalation: false
  8936. capabilities:
  8937. drop:
  8938. - ALL
  8939. readOnlyRootFilesystem: true
  8940. env:
  8941. - name: POD_NAMESPACE
  8942. valueFrom:
  8943. fieldRef:
  8944. fieldPath: metadata.namespace
  8945. # LivenessProbe settings are based on those used for the Kubernetes
  8946. # controller-manager. See:
  8947. # https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245
  8948. livenessProbe:
  8949. httpGet:
  8950. port: http-healthz
  8951. path: /livez
  8952. scheme: HTTP
  8953. initialDelaySeconds: 10
  8954. periodSeconds: 10
  8955. timeoutSeconds: 15
  8956. successThreshold: 1
  8957. failureThreshold: 8
  8958. nodeSelector:
  8959. kubernetes.io/os: linux
  8960. ---
  8961. # Source: cert-manager/templates/webhook-deployment.yaml
  8962. apiVersion: apps/v1
  8963. kind: Deployment
  8964. metadata:
  8965. name: cert-manager-webhook
  8966. namespace: obs-operator
  8967. labels:
  8968. app: webhook
  8969. app.kubernetes.io/name: webhook
  8970. app.kubernetes.io/instance: cert-manager
  8971. app.kubernetes.io/component: "webhook"
  8972. app.kubernetes.io/version: "v1.15.2"
  8973. spec:
  8974. replicas: 1
  8975. selector:
  8976. matchLabels:
  8977. app.kubernetes.io/name: webhook
  8978. app.kubernetes.io/instance: cert-manager
  8979. app.kubernetes.io/component: "webhook"
  8980. template:
  8981. metadata:
  8982. labels:
  8983. app: webhook
  8984. app.kubernetes.io/name: webhook
  8985. app.kubernetes.io/instance: cert-manager
  8986. app.kubernetes.io/component: "webhook"
  8987. app.kubernetes.io/version: "v1.15.2"
  8988. spec:
  8989. serviceAccountName: cert-manager-webhook
  8990. enableServiceLinks: false
  8991. securityContext:
  8992. runAsNonRoot: true
  8993. seccompProfile:
  8994. type: RuntimeDefault
  8995. containers:
  8996. - name: cert-manager-webhook
  8997. image: "quay.io/jetstack/cert-manager-webhook:v1.15.2"
  8998. imagePullPolicy: IfNotPresent
  8999. args:
  9000. - --v=2
  9001. - --secure-port=10250
  9002. - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
  9003. - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
  9004. - --dynamic-serving-dns-names=cert-manager-webhook
  9005. - --dynamic-serving-dns-names=cert-manager-webhook.$(POD_NAMESPACE)
  9006. - --dynamic-serving-dns-names=cert-manager-webhook.$(POD_NAMESPACE).svc
  9007. ports:
  9008. - name: https
  9009. protocol: TCP
  9010. containerPort: 10250
  9011. - name: healthcheck
  9012. protocol: TCP
  9013. containerPort: 6080
  9014. livenessProbe:
  9015. httpGet:
  9016. path: /livez
  9017. port: 6080
  9018. scheme: HTTP
  9019. initialDelaySeconds: 60
  9020. periodSeconds: 10
  9021. timeoutSeconds: 1
  9022. successThreshold: 1
  9023. failureThreshold: 3
  9024. readinessProbe:
  9025. httpGet:
  9026. path: /healthz
  9027. port: 6080
  9028. scheme: HTTP
  9029. initialDelaySeconds: 5
  9030. periodSeconds: 5
  9031. timeoutSeconds: 1
  9032. successThreshold: 1
  9033. failureThreshold: 3
  9034. securityContext:
  9035. allowPrivilegeEscalation: false
  9036. capabilities:
  9037. drop:
  9038. - ALL
  9039. readOnlyRootFilesystem: true
  9040. env:
  9041. - name: POD_NAMESPACE
  9042. valueFrom:
  9043. fieldRef:
  9044. fieldPath: metadata.namespace
  9045. nodeSelector:
  9046. kubernetes.io/os: linux
  9047. ---
  9048. # Source: cert-manager/templates/crds.yaml
  9049. #
  9050. # START crd
  9051. ---
  9052. # Source: cert-manager/templates/crds.yaml
  9053. # START crd
  9054. ---
  9055. # Source: cert-manager/templates/crds.yaml
  9056. # START crd
  9057. ---
  9058. # Source: cert-manager/templates/crds.yaml
  9059. # START crd
  9060. ---
  9061. # Source: cert-manager/templates/crds.yaml
  9062. # START crd
  9063. ---
  9064. # Source: cert-manager/templates/crds.yaml
  9065. # START crd
  9066. ---
  9067. # Source: cert-manager/templates/webhook-mutating-webhook.yaml
  9068. apiVersion: admissionregistration.k8s.io/v1
  9069. kind: MutatingWebhookConfiguration
  9070. metadata:
  9071. name: cert-manager-webhook
  9072. labels:
  9073. app: webhook
  9074. app.kubernetes.io/name: webhook
  9075. app.kubernetes.io/instance: cert-manager
  9076. app.kubernetes.io/component: "webhook"
  9077. app.kubernetes.io/version: "v1.15.2"
  9078. annotations:
  9079. cert-manager.io/inject-ca-from-secret: "obs-operator/cert-manager-webhook-ca"
  9080. webhooks:
  9081. - name: webhook.cert-manager.io
  9082. rules:
  9083. - apiGroups:
  9084. - "cert-manager.io"
  9085. apiVersions:
  9086. - "v1"
  9087. operations:
  9088. - CREATE
  9089. resources:
  9090. - "certificaterequests"
  9091. admissionReviewVersions: ["v1"]
  9092. # This webhook only accepts v1 cert-manager resources.
  9093. # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
  9094. # this webhook (after the resources have been converted to v1).
  9095. matchPolicy: Equivalent
  9096. timeoutSeconds: 30
  9097. failurePolicy: Fail
  9098. # Only include 'sideEffects' field in Kubernetes 1.12+
  9099. sideEffects: None
  9100. clientConfig:
  9101. service:
  9102. name: cert-manager-webhook
  9103. namespace: obs-operator
  9104. path: /mutate
  9105. ---
  9106. # Source: cert-manager/templates/webhook-validating-webhook.yaml
  9107. apiVersion: admissionregistration.k8s.io/v1
  9108. kind: ValidatingWebhookConfiguration
  9109. metadata:
  9110. name: cert-manager-webhook
  9111. labels:
  9112. app: webhook
  9113. app.kubernetes.io/name: webhook
  9114. app.kubernetes.io/instance: cert-manager
  9115. app.kubernetes.io/component: "webhook"
  9116. app.kubernetes.io/version: "v1.15.2"
  9117. annotations:
  9118. cert-manager.io/inject-ca-from-secret: "obs-operator/cert-manager-webhook-ca"
  9119. webhooks:
  9120. - name: webhook.cert-manager.io
  9121. namespaceSelector:
  9122. matchExpressions:
  9123. - key: cert-manager.io/disable-validation
  9124. operator: NotIn
  9125. values:
  9126. - "true"
  9127. rules:
  9128. - apiGroups:
  9129. - "cert-manager.io"
  9130. - "acme.cert-manager.io"
  9131. apiVersions:
  9132. - "v1"
  9133. operations:
  9134. - CREATE
  9135. - UPDATE
  9136. resources:
  9137. - "*/*"
  9138. admissionReviewVersions: ["v1"]
  9139. # This webhook only accepts v1 cert-manager resources.
  9140. # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
  9141. # this webhook (after the resources have been converted to v1).
  9142. matchPolicy: Equivalent
  9143. timeoutSeconds: 30
  9144. failurePolicy: Fail
  9145. sideEffects: None
  9146. clientConfig:
  9147. service:
  9148. name: cert-manager-webhook
  9149. namespace: obs-operator
  9150. path: /validate