· 6 years ago · Oct 12, 2019, 11:30 PM
1
2---
3apiVersion: apiextensions.k8s.io/v1beta1
4kind: CustomResourceDefinition
5metadata:
6 creationTimestamp: null
7 name: challenges.acme.cert-manager.io
8spec:
9 additionalPrinterColumns:
10 - JSONPath: .status.state
11 name: State
12 type: string
13 - JSONPath: .spec.dnsName
14 name: Domain
15 type: string
16 - JSONPath: .status.reason
17 name: Reason
18 priority: 1
19 type: string
20 - JSONPath: .metadata.creationTimestamp
21 description: CreationTimestamp is a timestamp representing the server time when
22 this object was created. It is not guaranteed to be set in happens-before order
23 across separate operations. Clients may not set this value. It is represented
24 in RFC3339 form and is in UTC.
25 name: Age
26 type: date
27 group: acme.cert-manager.io
28 names:
29 kind: Challenge
30 listKind: ChallengeList
31 plural: challenges
32 singular: challenge
33 scope: Namespaced
34 subresources:
35 status: {}
36 validation:
37 openAPIV3Schema:
38 description: Challenge is a type to represent a Challenge request with an ACME
39 server
40 properties:
41 apiVersion:
42 description: 'APIVersion defines the versioned schema of this representation
43 of an object. Servers should convert recognized schemas to the latest
44 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
45 type: string
46 kind:
47 description: 'Kind is a string value representing the REST resource this
48 object represents. Servers may infer this from the endpoint the client
49 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
50 type: string
51 metadata:
52 type: object
53 spec:
54 properties:
55 authzURL:
56 description: AuthzURL is the URL to the ACME Authorization resource
57 that this challenge is a part of.
58 type: string
59 dnsName:
60 description: DNSName is the identifier that this challenge is for, e.g.
61 example.com.
62 type: string
63 issuerRef:
64 description: IssuerRef references a properly configured ACME-type Issuer
65 which should be used to create this Challenge. If the Issuer does
66 not exist, processing will be retried. If the Issuer is not an 'ACME'
67 Issuer, an error will be returned and the Challenge will be marked
68 as failed.
69 properties:
70 group:
71 type: string
72 kind:
73 type: string
74 name:
75 type: string
76 required:
77 - name
78 type: object
79 key:
80 description: Key is the ACME challenge key for this challenge
81 type: string
82 solver:
83 description: Solver contains the domain solving configuration that should
84 be used to solve this challenge resource. Only **one** of 'config'
85 or 'solver' may be specified, and if both are specified then no action
86 will be performed on the Challenge resource.
87 properties:
88 dns01:
89 properties:
90 acmedns:
91 description: ACMEIssuerDNS01ProviderAcmeDNS is a structure containing
92 the configuration for ACME-DNS servers
93 properties:
94 accountSecretRef:
95 properties:
96 key:
97 description: The key of the secret to select from. Must
98 be a valid secret key.
99 type: string
100 name:
101 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
102 TODO: Add other useful fields. apiVersion, kind, uid?'
103 type: string
104 required:
105 - name
106 type: object
107 host:
108 type: string
109 required:
110 - accountSecretRef
111 - host
112 type: object
113 akamai:
114 description: ACMEIssuerDNS01ProviderAkamai is a structure containing
115 the DNS configuration for Akamai DNS—Zone Record Management
116 API
117 properties:
118 accessTokenSecretRef:
119 properties:
120 key:
121 description: The key of the secret to select from. Must
122 be a valid secret key.
123 type: string
124 name:
125 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
126 TODO: Add other useful fields. apiVersion, kind, uid?'
127 type: string
128 required:
129 - name
130 type: object
131 clientSecretSecretRef:
132 properties:
133 key:
134 description: The key of the secret to select from. Must
135 be a valid secret key.
136 type: string
137 name:
138 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
139 TODO: Add other useful fields. apiVersion, kind, uid?'
140 type: string
141 required:
142 - name
143 type: object
144 clientTokenSecretRef:
145 properties:
146 key:
147 description: The key of the secret to select from. Must
148 be a valid secret key.
149 type: string
150 name:
151 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
152 TODO: Add other useful fields. apiVersion, kind, uid?'
153 type: string
154 required:
155 - name
156 type: object
157 serviceConsumerDomain:
158 type: string
159 required:
160 - accessTokenSecretRef
161 - clientSecretSecretRef
162 - clientTokenSecretRef
163 - serviceConsumerDomain
164 type: object
165 azuredns:
166 description: ACMEIssuerDNS01ProviderAzureDNS is a structure
167 containing the configuration for Azure DNS
168 properties:
169 clientID:
170 type: string
171 clientSecretSecretRef:
172 properties:
173 key:
174 description: The key of the secret to select from. Must
175 be a valid secret key.
176 type: string
177 name:
178 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
179 TODO: Add other useful fields. apiVersion, kind, uid?'
180 type: string
181 required:
182 - name
183 type: object
184 environment:
185 enum:
186 - AzurePublicCloud
187 - AzureChinaCloud
188 - AzureGermanCloud
189 - AzureUSGovernmentCloud
190 type: string
191 hostedZoneName:
192 type: string
193 resourceGroupName:
194 type: string
195 subscriptionID:
196 type: string
197 tenantID:
198 type: string
199 required:
200 - clientID
201 - clientSecretSecretRef
202 - resourceGroupName
203 - subscriptionID
204 - tenantID
205 type: object
206 clouddns:
207 description: ACMEIssuerDNS01ProviderCloudDNS is a structure
208 containing the DNS configuration for Google Cloud DNS
209 properties:
210 project:
211 type: string
212 serviceAccountSecretRef:
213 properties:
214 key:
215 description: The key of the secret to select from. Must
216 be a valid secret key.
217 type: string
218 name:
219 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
220 TODO: Add other useful fields. apiVersion, kind, uid?'
221 type: string
222 required:
223 - name
224 type: object
225 required:
226 - project
227 - serviceAccountSecretRef
228 type: object
229 cloudflare:
230 description: ACMEIssuerDNS01ProviderCloudflare is a structure
231 containing the DNS configuration for Cloudflare
232 properties:
233 apiKeySecretRef:
234 properties:
235 key:
236 description: The key of the secret to select from. Must
237 be a valid secret key.
238 type: string
239 name:
240 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
241 TODO: Add other useful fields. apiVersion, kind, uid?'
242 type: string
243 required:
244 - name
245 type: object
246 email:
247 type: string
248 required:
249 - apiKeySecretRef
250 - email
251 type: object
252 cnameStrategy:
253 description: CNAMEStrategy configures how the DNS01 provider
254 should handle CNAME records when found in DNS zones.
255 enum:
256 - None
257 - Follow
258 type: string
259 digitalocean:
260 description: ACMEIssuerDNS01ProviderDigitalOcean is a structure
261 containing the DNS configuration for DigitalOcean Domains
262 properties:
263 tokenSecretRef:
264 properties:
265 key:
266 description: The key of the secret to select from. Must
267 be a valid secret key.
268 type: string
269 name:
270 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
271 TODO: Add other useful fields. apiVersion, kind, uid?'
272 type: string
273 required:
274 - name
275 type: object
276 required:
277 - tokenSecretRef
278 type: object
279 rfc2136:
280 description: ACMEIssuerDNS01ProviderRFC2136 is a structure containing
281 the configuration for RFC2136 DNS
282 properties:
283 nameserver:
284 description: 'The IP address of the DNS supporting RFC2136.
285 Required. Note: FQDN is not a valid value, only IP.'
286 type: string
287 tsigAlgorithm:
288 description: 'The TSIG Algorithm configured in the DNS supporting
289 RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName``
290 are defined. Supported values are (case-insensitive):
291 ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or
292 ``HMACSHA512``.'
293 type: string
294 tsigKeyName:
295 description: The TSIG Key name configured in the DNS. If
296 ``tsigSecretSecretRef`` is defined, this field is required.
297 type: string
298 tsigSecretSecretRef:
299 description: The name of the secret containing the TSIG
300 value. If ``tsigKeyName`` is defined, this field is required.
301 properties:
302 key:
303 description: The key of the secret to select from. Must
304 be a valid secret key.
305 type: string
306 name:
307 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
308 TODO: Add other useful fields. apiVersion, kind, uid?'
309 type: string
310 required:
311 - name
312 type: object
313 required:
314 - nameserver
315 type: object
316 route53:
317 description: ACMEIssuerDNS01ProviderRoute53 is a structure containing
318 the Route 53 configuration for AWS
319 properties:
320 accessKeyID:
321 description: 'The AccessKeyID is used for authentication.
322 If not set we fall-back to using env vars, shared credentials
323 file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
324 type: string
325 hostedZoneID:
326 description: If set, the provider will manage only this
327 zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName
328 api call.
329 type: string
330 region:
331 description: Always set the region when using AccessKeyID
332 and SecretAccessKey
333 type: string
334 role:
335 description: Role is a Role ARN which the Route53 provider
336 will assume using either the explicit credentials AccessKeyID/SecretAccessKey
337 or the inferred credentials from environment variables,
338 shared credentials file or AWS Instance metadata
339 type: string
340 secretAccessKeySecretRef:
341 description: The SecretAccessKey is used for authentication.
342 If not set we fall-back to using env vars, shared credentials
343 file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
344 properties:
345 key:
346 description: The key of the secret to select from. Must
347 be a valid secret key.
348 type: string
349 name:
350 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
351 TODO: Add other useful fields. apiVersion, kind, uid?'
352 type: string
353 required:
354 - name
355 type: object
356 required:
357 - region
358 type: object
359 webhook:
360 description: ACMEIssuerDNS01ProviderWebhook specifies configuration
361 for a webhook DNS01 provider, including where to POST ChallengePayload
362 resources.
363 properties:
364 config:
365 description: Additional configuration that should be passed
366 to the webhook apiserver when challenges are processed.
367 This can contain arbitrary JSON data. Secret values should
368 not be specified in this stanza. If secret values are
369 needed (e.g. credentials for a DNS service), you should
370 use a SecretKeySelector to reference a Secret resource.
371 For details on the schema of this field, consult the webhook
372 provider implementation's documentation.
373 x-kubernetes-preserve-unknown-fields: true
374 groupName:
375 description: The API group name that should be used when
376 POSTing ChallengePayload resources to the webhook apiserver.
377 This should be the same as the GroupName specified in
378 the webhook provider implementation.
379 type: string
380 solverName:
381 description: The name of the solver to use, as defined in
382 the webhook provider implementation. This will typically
383 be the name of the provider, e.g. 'cloudflare'.
384 type: string
385 required:
386 - groupName
387 - solverName
388 type: object
389 type: object
390 http01:
391 description: ACMEChallengeSolverHTTP01 contains configuration detailing
392 how to solve HTTP01 challenges within a Kubernetes cluster. Typically
393 this is accomplished through creating 'routes' of some description
394 that configure ingress controllers to direct traffic to 'solver
395 pods', which are responsible for responding to the ACME server's
396 HTTP requests.
397 properties:
398 ingress:
399 description: The ingress based HTTP01 challenge solver will
400 solve challenges by creating or modifying Ingress resources
401 in order to route requests for '/.well-known/acme-challenge/XYZ'
402 to 'challenge solver' pods that are provisioned by cert-manager
403 for each Challenge to be completed.
404 properties:
405 class:
406 description: The ingress class to use when creating Ingress
407 resources to solve ACME challenges that use this challenge
408 solver. Only one of 'class' or 'name' may be specified.
409 type: string
410 name:
411 description: The name of the ingress resource that should
412 have ACME challenge solving routes inserted into it in
413 order to solve HTTP01 challenges. This is typically used
414 in conjunction with ingress controllers like ingress-gce,
415 which maintains a 1:1 mapping between external IPs and
416 ingress resources.
417 type: string
418 podTemplate:
419 description: Optional pod template used to configure the
420 ACME challenge solver pods used for HTTP01 challenges
421 properties:
422 metadata:
423 description: ObjectMeta overrides for the pod used to
424 solve HTTP01 challenges. Only the 'labels' and 'annotations'
425 fields may be set. If labels or annotations overlap
426 with in-built values, the values here will override
427 the in-built values.
428 type: object
429 spec:
430 description: PodSpec defines overrides for the HTTP01
431 challenge solver pod. Only the 'nodeSelector', 'affinity'
432 and 'tolerations' fields are supported currently.
433 All other fields will be ignored.
434 properties:
435 affinity:
436 description: If specified, the pod's scheduling
437 constraints
438 properties:
439 nodeAffinity:
440 description: Describes node affinity scheduling
441 rules for the pod.
442 properties:
443 preferredDuringSchedulingIgnoredDuringExecution:
444 description: The scheduler will prefer to
445 schedule pods to nodes that satisfy the
446 affinity expressions specified by this
447 field, but it may choose a node that violates
448 one or more of the expressions. The node
449 that is most preferred is the one with
450 the greatest sum of weights, i.e. for
451 each node that meets all of the scheduling
452 requirements (resource request, requiredDuringScheduling
453 affinity expressions, etc.), compute a
454 sum by iterating through the elements
455 of this field and adding "weight" to the
456 sum if the node matches the corresponding
457 matchExpressions; the node(s) with the
458 highest sum are the most preferred.
459 items:
460 description: An empty preferred scheduling
461 term matches all objects with implicit
462 weight 0 (i.e. it's a no-op). A null
463 preferred scheduling term matches no
464 objects (i.e. is also a no-op).
465 properties:
466 preference:
467 description: A node selector term,
468 associated with the corresponding
469 weight.
470 properties:
471 matchExpressions:
472 description: A list of node selector
473 requirements by node's labels.
474 items:
475 description: A node selector
476 requirement is a selector
477 that contains values, a key,
478 and an operator that relates
479 the key and values.
480 properties:
481 key:
482 description: The label key
483 that the selector applies
484 to.
485 type: string
486 operator:
487 description: Represents
488 a key's relationship to
489 a set of values. Valid
490 operators are In, NotIn,
491 Exists, DoesNotExist.
492 Gt, and Lt.
493 type: string
494 values:
495 description: An array of
496 string values. If the
497 operator is In or NotIn,
498 the values array must
499 be non-empty. If the operator
500 is Exists or DoesNotExist,
501 the values array must
502 be empty. If the operator
503 is Gt or Lt, the values
504 array must have a single
505 element, which will be
506 interpreted as an integer.
507 This array is replaced
508 during a strategic merge
509 patch.
510 items:
511 type: string
512 type: array
513 required:
514 - key
515 - operator
516 type: object
517 type: array
518 matchFields:
519 description: A list of node selector
520 requirements by node's fields.
521 items:
522 description: A node selector
523 requirement is a selector
524 that contains values, a key,
525 and an operator that relates
526 the key and values.
527 properties:
528 key:
529 description: The label key
530 that the selector applies
531 to.
532 type: string
533 operator:
534 description: Represents
535 a key's relationship to
536 a set of values. Valid
537 operators are In, NotIn,
538 Exists, DoesNotExist.
539 Gt, and Lt.
540 type: string
541 values:
542 description: An array of
543 string values. If the
544 operator is In or NotIn,
545 the values array must
546 be non-empty. If the operator
547 is Exists or DoesNotExist,
548 the values array must
549 be empty. If the operator
550 is Gt or Lt, the values
551 array must have a single
552 element, which will be
553 interpreted as an integer.
554 This array is replaced
555 during a strategic merge
556 patch.
557 items:
558 type: string
559 type: array
560 required:
561 - key
562 - operator
563 type: object
564 type: array
565 type: object
566 weight:
567 description: Weight associated with
568 matching the corresponding nodeSelectorTerm,
569 in the range 1-100.
570 format: int32
571 type: integer
572 required:
573 - preference
574 - weight
575 type: object
576 type: array
577 requiredDuringSchedulingIgnoredDuringExecution:
578 description: If the affinity requirements
579 specified by this field are not met at
580 scheduling time, the pod will not be scheduled
581 onto the node. If the affinity requirements
582 specified by this field cease to be met
583 at some point during pod execution (e.g.
584 due to an update), the system may or may
585 not try to eventually evict the pod from
586 its node.
587 properties:
588 nodeSelectorTerms:
589 description: Required. A list of node
590 selector terms. The terms are ORed.
591 items:
592 description: A null or empty node
593 selector term matches no objects.
594 The requirements of them are ANDed.
595 The TopologySelectorTerm type implements
596 a subset of the NodeSelectorTerm.
597 properties:
598 matchExpressions:
599 description: A list of node selector
600 requirements by node's labels.
601 items:
602 description: A node selector
603 requirement is a selector
604 that contains values, a key,
605 and an operator that relates
606 the key and values.
607 properties:
608 key:
609 description: The label key
610 that the selector applies
611 to.
612 type: string
613 operator:
614 description: Represents
615 a key's relationship to
616 a set of values. Valid
617 operators are In, NotIn,
618 Exists, DoesNotExist.
619 Gt, and Lt.
620 type: string
621 values:
622 description: An array of
623 string values. If the
624 operator is In or NotIn,
625 the values array must
626 be non-empty. If the operator
627 is Exists or DoesNotExist,
628 the values array must
629 be empty. If the operator
630 is Gt or Lt, the values
631 array must have a single
632 element, which will be
633 interpreted as an integer.
634 This array is replaced
635 during a strategic merge
636 patch.
637 items:
638 type: string
639 type: array
640 required:
641 - key
642 - operator
643 type: object
644 type: array
645 matchFields:
646 description: A list of node selector
647 requirements by node's fields.
648 items:
649 description: A node selector
650 requirement is a selector
651 that contains values, a key,
652 and an operator that relates
653 the key and values.
654 properties:
655 key:
656 description: The label key
657 that the selector applies
658 to.
659 type: string
660 operator:
661 description: Represents
662 a key's relationship to
663 a set of values. Valid
664 operators are In, NotIn,
665 Exists, DoesNotExist.
666 Gt, and Lt.
667 type: string
668 values:
669 description: An array of
670 string values. If the
671 operator is In or NotIn,
672 the values array must
673 be non-empty. If the operator
674 is Exists or DoesNotExist,
675 the values array must
676 be empty. If the operator
677 is Gt or Lt, the values
678 array must have a single
679 element, which will be
680 interpreted as an integer.
681 This array is replaced
682 during a strategic merge
683 patch.
684 items:
685 type: string
686 type: array
687 required:
688 - key
689 - operator
690 type: object
691 type: array
692 type: object
693 type: array
694 required:
695 - nodeSelectorTerms
696 type: object
697 type: object
698 podAffinity:
699 description: Describes pod affinity scheduling
700 rules (e.g. co-locate this pod in the same
701 node, zone, etc. as some other pod(s)).
702 properties:
703 preferredDuringSchedulingIgnoredDuringExecution:
704 description: The scheduler will prefer to
705 schedule pods to nodes that satisfy the
706 affinity expressions specified by this
707 field, but it may choose a node that violates
708 one or more of the expressions. The node
709 that is most preferred is the one with
710 the greatest sum of weights, i.e. for
711 each node that meets all of the scheduling
712 requirements (resource request, requiredDuringScheduling
713 affinity expressions, etc.), compute a
714 sum by iterating through the elements
715 of this field and adding "weight" to the
716 sum if the node has pods which matches
717 the corresponding podAffinityTerm; the
718 node(s) with the highest sum are the most
719 preferred.
720 items:
721 description: The weights of all of the
722 matched WeightedPodAffinityTerm fields
723 are added per-node to find the most
724 preferred node(s)
725 properties:
726 podAffinityTerm:
727 description: Required. A pod affinity
728 term, associated with the corresponding
729 weight.
730 properties:
731 labelSelector:
732 description: A label query over
733 a set of resources, in this
734 case pods.
735 properties:
736 matchExpressions:
737 description: matchExpressions
738 is a list of label selector
739 requirements. The requirements
740 are ANDed.
741 items:
742 description: A label selector
743 requirement is a selector
744 that contains values,
745 a key, and an operator
746 that relates the key and
747 values.
748 properties:
749 key:
750 description: key is
751 the label key that
752 the selector applies
753 to.
754 type: string
755 operator:
756 description: operator
757 represents a key's
758 relationship to a
759 set of values. Valid
760 operators are In,
761 NotIn, Exists and
762 DoesNotExist.
763 type: string
764 values:
765 description: values
766 is an array of string
767 values. If the operator
768 is In or NotIn, the
769 values array must
770 be non-empty. If the
771 operator is Exists
772 or DoesNotExist, the
773 values array must
774 be empty. This array
775 is replaced during
776 a strategic merge
777 patch.
778 items:
779 type: string
780 type: array
781 required:
782 - key
783 - operator
784 type: object
785 type: array
786 matchLabels:
787 additionalProperties:
788 type: string
789 description: matchLabels is
790 a map of {key,value} pairs.
791 A single {key,value} in
792 the matchLabels map is equivalent
793 to an element of matchExpressions,
794 whose key field is "key",
795 the operator is "In", and
796 the values array contains
797 only "value". The requirements
798 are ANDed.
799 type: object
800 type: object
801 namespaces:
802 description: namespaces specifies
803 which namespaces the labelSelector
804 applies to (matches against);
805 null or empty list means "this
806 pod's namespace"
807 items:
808 type: string
809 type: array
810 topologyKey:
811 description: This pod should be
812 co-located (affinity) or not
813 co-located (anti-affinity) with
814 the pods matching the labelSelector
815 in the specified namespaces,
816 where co-located is defined
817 as running on a node whose value
818 of the label with key topologyKey
819 matches that of any node on
820 which any of the selected pods
821 is running. Empty topologyKey
822 is not allowed.
823 type: string
824 required:
825 - topologyKey
826 type: object
827 weight:
828 description: weight associated with
829 matching the corresponding podAffinityTerm,
830 in the range 1-100.
831 format: int32
832 type: integer
833 required:
834 - podAffinityTerm
835 - weight
836 type: object
837 type: array
838 requiredDuringSchedulingIgnoredDuringExecution:
839 description: If the affinity requirements
840 specified by this field are not met at
841 scheduling time, the pod will not be scheduled
842 onto the node. If the affinity requirements
843 specified by this field cease to be met
844 at some point during pod execution (e.g.
845 due to a pod label update), the system
846 may or may not try to eventually evict
847 the pod from its node. When there are
848 multiple elements, the lists of nodes
849 corresponding to each podAffinityTerm
850 are intersected, i.e. all terms must be
851 satisfied.
852 items:
853 description: Defines a set of pods (namely
854 those matching the labelSelector relative
855 to the given namespace(s)) that this
856 pod should be co-located (affinity)
857 or not co-located (anti-affinity) with,
858 where co-located is defined as running
859 on a node whose value of the label with
860 key <topologyKey> matches that of any
861 node on which a pod of the set of pods
862 is running
863 properties:
864 labelSelector:
865 description: A label query over a
866 set of resources, in this case pods.
867 properties:
868 matchExpressions:
869 description: matchExpressions
870 is a list of label selector
871 requirements. The requirements
872 are ANDed.
873 items:
874 description: A label selector
875 requirement is a selector
876 that contains values, a key,
877 and an operator that relates
878 the key and values.
879 properties:
880 key:
881 description: key is the
882 label key that the selector
883 applies to.
884 type: string
885 operator:
886 description: operator represents
887 a key's relationship to
888 a set of values. Valid
889 operators are In, NotIn,
890 Exists and DoesNotExist.
891 type: string
892 values:
893 description: values is an
894 array of string values.
895 If the operator is In
896 or NotIn, the values array
897 must be non-empty. If
898 the operator is Exists
899 or DoesNotExist, the values
900 array must be empty. This
901 array is replaced during
902 a strategic merge patch.
903 items:
904 type: string
905 type: array
906 required:
907 - key
908 - operator
909 type: object
910 type: array
911 matchLabels:
912 additionalProperties:
913 type: string
914 description: matchLabels is a
915 map of {key,value} pairs. A
916 single {key,value} in the matchLabels
917 map is equivalent to an element
918 of matchExpressions, whose key
919 field is "key", the operator
920 is "In", and the values array
921 contains only "value". The requirements
922 are ANDed.
923 type: object
924 type: object
925 namespaces:
926 description: namespaces specifies
927 which namespaces the labelSelector
928 applies to (matches against); null
929 or empty list means "this pod's
930 namespace"
931 items:
932 type: string
933 type: array
934 topologyKey:
935 description: This pod should be co-located
936 (affinity) or not co-located (anti-affinity)
937 with the pods matching the labelSelector
938 in the specified namespaces, where
939 co-located is defined as running
940 on a node whose value of the label
941 with key topologyKey matches that
942 of any node on which any of the
943 selected pods is running. Empty
944 topologyKey is not allowed.
945 type: string
946 required:
947 - topologyKey
948 type: object
949 type: array
950 type: object
951 podAntiAffinity:
952 description: Describes pod anti-affinity scheduling
953 rules (e.g. avoid putting this pod in the
954 same node, zone, etc. as some other pod(s)).
955 properties:
956 preferredDuringSchedulingIgnoredDuringExecution:
957 description: The scheduler will prefer to
958 schedule pods to nodes that satisfy the
959 anti-affinity expressions specified by
960 this field, but it may choose a node that
961 violates one or more of the expressions.
962 The node that is most preferred is the
963 one with the greatest sum of weights,
964 i.e. for each node that meets all of the
965 scheduling requirements (resource request,
966 requiredDuringScheduling anti-affinity
967 expressions, etc.), compute a sum by iterating
968 through the elements of this field and
969 adding "weight" to the sum if the node
970 has pods which matches the corresponding
971 podAffinityTerm; the node(s) with the
972 highest sum are the most preferred.
973 items:
974 description: The weights of all of the
975 matched WeightedPodAffinityTerm fields
976 are added per-node to find the most
977 preferred node(s)
978 properties:
979 podAffinityTerm:
980 description: Required. A pod affinity
981 term, associated with the corresponding
982 weight.
983 properties:
984 labelSelector:
985 description: A label query over
986 a set of resources, in this
987 case pods.
988 properties:
989 matchExpressions:
990 description: matchExpressions
991 is a list of label selector
992 requirements. The requirements
993 are ANDed.
994 items:
995 description: A label selector
996 requirement is a selector
997 that contains values,
998 a key, and an operator
999 that relates the key and
1000 values.
1001 properties:
1002 key:
1003 description: key is
1004 the label key that
1005 the selector applies
1006 to.
1007 type: string
1008 operator:
1009 description: operator
1010 represents a key's
1011 relationship to a
1012 set of values. Valid
1013 operators are In,
1014 NotIn, Exists and
1015 DoesNotExist.
1016 type: string
1017 values:
1018 description: values
1019 is an array of string
1020 values. If the operator
1021 is In or NotIn, the
1022 values array must
1023 be non-empty. If the
1024 operator is Exists
1025 or DoesNotExist, the
1026 values array must
1027 be empty. This array
1028 is replaced during
1029 a strategic merge
1030 patch.
1031 items:
1032 type: string
1033 type: array
1034 required:
1035 - key
1036 - operator
1037 type: object
1038 type: array
1039 matchLabels:
1040 additionalProperties:
1041 type: string
1042 description: matchLabels is
1043 a map of {key,value} pairs.
1044 A single {key,value} in
1045 the matchLabels map is equivalent
1046 to an element of matchExpressions,
1047 whose key field is "key",
1048 the operator is "In", and
1049 the values array contains
1050 only "value". The requirements
1051 are ANDed.
1052 type: object
1053 type: object
1054 namespaces:
1055 description: namespaces specifies
1056 which namespaces the labelSelector
1057 applies to (matches against);
1058 null or empty list means "this
1059 pod's namespace"
1060 items:
1061 type: string
1062 type: array
1063 topologyKey:
1064 description: This pod should be
1065 co-located (affinity) or not
1066 co-located (anti-affinity) with
1067 the pods matching the labelSelector
1068 in the specified namespaces,
1069 where co-located is defined
1070 as running on a node whose value
1071 of the label with key topologyKey
1072 matches that of any node on
1073 which any of the selected pods
1074 is running. Empty topologyKey
1075 is not allowed.
1076 type: string
1077 required:
1078 - topologyKey
1079 type: object
1080 weight:
1081 description: weight associated with
1082 matching the corresponding podAffinityTerm,
1083 in the range 1-100.
1084 format: int32
1085 type: integer
1086 required:
1087 - podAffinityTerm
1088 - weight
1089 type: object
1090 type: array
1091 requiredDuringSchedulingIgnoredDuringExecution:
1092 description: If the anti-affinity requirements
1093 specified by this field are not met at
1094 scheduling time, the pod will not be scheduled
1095 onto the node. If the anti-affinity requirements
1096 specified by this field cease to be met
1097 at some point during pod execution (e.g.
1098 due to a pod label update), the system
1099 may or may not try to eventually evict
1100 the pod from its node. When there are
1101 multiple elements, the lists of nodes
1102 corresponding to each podAffinityTerm
1103 are intersected, i.e. all terms must be
1104 satisfied.
1105 items:
1106 description: Defines a set of pods (namely
1107 those matching the labelSelector relative
1108 to the given namespace(s)) that this
1109 pod should be co-located (affinity)
1110 or not co-located (anti-affinity) with,
1111 where co-located is defined as running
1112 on a node whose value of the label with
1113 key <topologyKey> matches that of any
1114 node on which a pod of the set of pods
1115 is running
1116 properties:
1117 labelSelector:
1118 description: A label query over a
1119 set of resources, in this case pods.
1120 properties:
1121 matchExpressions:
1122 description: matchExpressions
1123 is a list of label selector
1124 requirements. The requirements
1125 are ANDed.
1126 items:
1127 description: A label selector
1128 requirement is a selector
1129 that contains values, a key,
1130 and an operator that relates
1131 the key and values.
1132 properties:
1133 key:
1134 description: key is the
1135 label key that the selector
1136 applies to.
1137 type: string
1138 operator:
1139 description: operator represents
1140 a key's relationship to
1141 a set of values. Valid
1142 operators are In, NotIn,
1143 Exists and DoesNotExist.
1144 type: string
1145 values:
1146 description: values is an
1147 array of string values.
1148 If the operator is In
1149 or NotIn, the values array
1150 must be non-empty. If
1151 the operator is Exists
1152 or DoesNotExist, the values
1153 array must be empty. This
1154 array is replaced during
1155 a strategic merge patch.
1156 items:
1157 type: string
1158 type: array
1159 required:
1160 - key
1161 - operator
1162 type: object
1163 type: array
1164 matchLabels:
1165 additionalProperties:
1166 type: string
1167 description: matchLabels is a
1168 map of {key,value} pairs. A
1169 single {key,value} in the matchLabels
1170 map is equivalent to an element
1171 of matchExpressions, whose key
1172 field is "key", the operator
1173 is "In", and the values array
1174 contains only "value". The requirements
1175 are ANDed.
1176 type: object
1177 type: object
1178 namespaces:
1179 description: namespaces specifies
1180 which namespaces the labelSelector
1181 applies to (matches against); null
1182 or empty list means "this pod's
1183 namespace"
1184 items:
1185 type: string
1186 type: array
1187 topologyKey:
1188 description: This pod should be co-located
1189 (affinity) or not co-located (anti-affinity)
1190 with the pods matching the labelSelector
1191 in the specified namespaces, where
1192 co-located is defined as running
1193 on a node whose value of the label
1194 with key topologyKey matches that
1195 of any node on which any of the
1196 selected pods is running. Empty
1197 topologyKey is not allowed.
1198 type: string
1199 required:
1200 - topologyKey
1201 type: object
1202 type: array
1203 type: object
1204 type: object
1205 nodeSelector:
1206 additionalProperties:
1207 type: string
1208 description: 'NodeSelector is a selector which must
1209 be true for the pod to fit on a node. Selector
1210 which must match a node''s labels for the pod
1211 to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
1212 type: object
1213 tolerations:
1214 description: If specified, the pod's tolerations.
1215 items:
1216 description: The pod this Toleration is attached
1217 to tolerates any taint that matches the triple
1218 <key,value,effect> using the matching operator
1219 <operator>.
1220 properties:
1221 effect:
1222 description: Effect indicates the taint effect
1223 to match. Empty means match all taint effects.
1224 When specified, allowed values are NoSchedule,
1225 PreferNoSchedule and NoExecute.
1226 type: string
1227 key:
1228 description: Key is the taint key that the
1229 toleration applies to. Empty means match
1230 all taint keys. If the key is empty, operator
1231 must be Exists; this combination means to
1232 match all values and all keys.
1233 type: string
1234 operator:
1235 description: Operator represents a key's relationship
1236 to the value. Valid operators are Exists
1237 and Equal. Defaults to Equal. Exists is
1238 equivalent to wildcard for value, so that
1239 a pod can tolerate all taints of a particular
1240 category.
1241 type: string
1242 tolerationSeconds:
1243 description: TolerationSeconds represents
1244 the period of time the toleration (which
1245 must be of effect NoExecute, otherwise this
1246 field is ignored) tolerates the taint. By
1247 default, it is not set, which means tolerate
1248 the taint forever (do not evict). Zero and
1249 negative values will be treated as 0 (evict
1250 immediately) by the system.
1251 format: int64
1252 type: integer
1253 value:
1254 description: Value is the taint value the
1255 toleration matches to. If the operator is
1256 Exists, the value should be empty, otherwise
1257 just a regular string.
1258 type: string
1259 type: object
1260 type: array
1261 type: object
1262 type: object
1263 serviceType:
1264 description: Optional service type for Kubernetes solver
1265 service
1266 type: string
1267 type: object
1268 type: object
1269 selector:
1270 description: Selector selects a set of DNSNames on the Certificate
1271 resource that should be solved using this challenge solver.
1272 properties:
1273 dnsNames:
1274 description: List of DNSNames that this solver will be used
1275 to solve. If specified and a match is found, a dnsNames selector
1276 will take precedence over a dnsZones selector. If multiple
1277 solvers match with the same dnsNames value, the solver with
1278 the most matching labels in matchLabels will be selected.
1279 If neither has more matches, the solver defined earlier in
1280 the list will be selected.
1281 items:
1282 type: string
1283 type: array
1284 dnsZones:
1285 description: List of DNSZones that this solver will be used
1286 to solve. The most specific DNS zone match specified here
1287 will take precedence over other DNS zone matches, so a solver
1288 specifying sys.example.com will be selected over one specifying
1289 example.com for the domain www.sys.example.com. If multiple
1290 solvers match with the same dnsZones value, the solver with
1291 the most matching labels in matchLabels will be selected.
1292 If neither has more matches, the solver defined earlier in
1293 the list will be selected.
1294 items:
1295 type: string
1296 type: array
1297 matchLabels:
1298 additionalProperties:
1299 type: string
1300 description: A label selector that is used to refine the set
1301 of certificate's that this challenge solver will apply to.
1302 type: object
1303 type: object
1304 type: object
1305 token:
1306 description: Token is the ACME challenge token for this challenge.
1307 type: string
1308 type:
1309 description: Type is the type of ACME challenge this resource represents,
1310 e.g. "dns01" or "http01"
1311 type: string
1312 url:
1313 description: URL is the URL of the ACME Challenge resource for this
1314 challenge. This can be used to lookup details about the status of
1315 this challenge.
1316 type: string
1317 wildcard:
1318 description: Wildcard will be true if this challenge is for a wildcard
1319 identifier, for example '*.example.com'
1320 type: boolean
1321 required:
1322 - authzURL
1323 - dnsName
1324 - issuerRef
1325 - key
1326 - token
1327 - type
1328 - url
1329 type: object
1330 status:
1331 properties:
1332 presented:
1333 description: Presented will be set to true if the challenge values for
1334 this challenge are currently 'presented'. This *does not* imply the
1335 self check is passing. Only that the values have been 'submitted'
1336 for the appropriate challenge mechanism (i.e. the DNS01 TXT record
1337 has been presented, or the HTTP01 configuration has been configured).
1338 type: boolean
1339 processing:
1340 description: Processing is used to denote whether this challenge should
1341 be processed or not. This field will only be set to true by the 'scheduling'
1342 component. It will only be set to false by the 'challenges' controller,
1343 after the challenge has reached a final state or timed out. If this
1344 field is set to false, the challenge controller will not take any
1345 more action.
1346 type: boolean
1347 reason:
1348 description: Reason contains human readable information on why the Challenge
1349 is in the current state.
1350 type: string
1351 state:
1352 description: State contains the current 'state' of the challenge. If
1353 not set, the state of the challenge is unknown.
1354 enum:
1355 - valid
1356 - ready
1357 - pending
1358 - processing
1359 - invalid
1360 - expired
1361 - errored
1362 type: string
1363 type: object
1364 required:
1365 - metadata
1366 type: object
1367 version: v1alpha2
1368 versions:
1369 - name: v1alpha2
1370 served: true
1371 storage: true
1372status:
1373 acceptedNames:
1374 kind: ""
1375 plural: ""
1376 conditions: []
1377 storedVersions: []
1378---
1379
1380---
1381apiVersion: apiextensions.k8s.io/v1beta1
1382kind: CustomResourceDefinition
1383metadata:
1384 creationTimestamp: null
1385 name: orders.acme.cert-manager.io
1386spec:
1387 additionalPrinterColumns:
1388 - JSONPath: .status.state
1389 name: State
1390 type: string
1391 - JSONPath: .spec.issuerRef.name
1392 name: Issuer
1393 priority: 1
1394 type: string
1395 - JSONPath: .status.reason
1396 name: Reason
1397 priority: 1
1398 type: string
1399 - JSONPath: .metadata.creationTimestamp
1400 description: CreationTimestamp is a timestamp representing the server time when
1401 this object was created. It is not guaranteed to be set in happens-before order
1402 across separate operations. Clients may not set this value. It is represented
1403 in RFC3339 form and is in UTC.
1404 name: Age
1405 type: date
1406 group: acme.cert-manager.io
1407 names:
1408 kind: Order
1409 listKind: OrderList
1410 plural: orders
1411 singular: order
1412 scope: Namespaced
1413 subresources:
1414 status: {}
1415 validation:
1416 openAPIV3Schema:
1417 description: Order is a type to represent an Order with an ACME server
1418 properties:
1419 apiVersion:
1420 description: 'APIVersion defines the versioned schema of this representation
1421 of an object. Servers should convert recognized schemas to the latest
1422 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1423 type: string
1424 kind:
1425 description: 'Kind is a string value representing the REST resource this
1426 object represents. Servers may infer this from the endpoint the client
1427 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1428 type: string
1429 metadata:
1430 type: object
1431 spec:
1432 properties:
1433 commonName:
1434 description: CommonName is the common name as specified on the DER encoded
1435 CSR. If CommonName is not specified, the first DNSName specified will
1436 be used as the CommonName. At least one of CommonName or a DNSNames
1437 must be set. This field must match the corresponding field on the
1438 DER encoded CSR.
1439 type: string
1440 csr:
1441 description: Certificate signing request bytes in DER encoding. This
1442 will be used when finalizing the order. This field must be set on
1443 the order.
1444 format: byte
1445 type: string
1446 dnsNames:
1447 description: DNSNames is a list of DNS names that should be included
1448 as part of the Order validation process. If CommonName is not specified,
1449 the first DNSName specified will be used as the CommonName. At least
1450 one of CommonName or a DNSNames must be set. This field must match
1451 the corresponding field on the DER encoded CSR.
1452 items:
1453 type: string
1454 type: array
1455 issuerRef:
1456 description: IssuerRef references a properly configured ACME-type Issuer
1457 which should be used to create this Order. If the Issuer does not
1458 exist, processing will be retried. If the Issuer is not an 'ACME'
1459 Issuer, an error will be returned and the Order will be marked as
1460 failed.
1461 properties:
1462 group:
1463 type: string
1464 kind:
1465 type: string
1466 name:
1467 type: string
1468 required:
1469 - name
1470 type: object
1471 required:
1472 - csr
1473 - issuerRef
1474 type: object
1475 status:
1476 properties:
1477 authorizations:
1478 description: Authorizations contains data returned from the ACME server
1479 on what authoriations must be completed in order to validate the DNS
1480 names specified on the Order.
1481 items:
1482 description: ACMEAuthorization contains data returned from the ACME
1483 server on an authorization that must be completed in order validate
1484 a DNS name on an ACME Order resource.
1485 properties:
1486 challenges:
1487 description: Challenges specifies the challenge types offered
1488 by the ACME server. One of these challenge types will be selected
1489 when validating the DNS name and an appropriate Challenge resource
1490 will be created to perform the ACME challenge process.
1491 items:
1492 description: Challenge specifies a challenge offered by the
1493 ACME server for an Order. An appropriate Challenge resource
1494 can be created to perform the ACME challenge process.
1495 properties:
1496 token:
1497 description: Token is the token that must be presented for
1498 this challenge. This is used to compute the 'key' that
1499 must also be presented.
1500 type: string
1501 type:
1502 description: Type is the type of challenge being offered,
1503 e.g. http-01, dns-01
1504 type: string
1505 url:
1506 description: URL is the URL of this challenge. It can be
1507 used to retrieve additional metadata about the Challenge
1508 from the ACME server.
1509 type: string
1510 required:
1511 - token
1512 - type
1513 - url
1514 type: object
1515 type: array
1516 identifier:
1517 description: Identifier is the DNS name to be validated as part
1518 of this authorization
1519 type: string
1520 url:
1521 description: URL is the URL of the Authorization that must be
1522 completed
1523 type: string
1524 wildcard:
1525 description: Wildcard will be true if this authorization is for
1526 a wildcard DNS name. If this is true, the identifier will be
1527 the *non-wildcard* version of the DNS name. For example, if
1528 '*.example.com' is the DNS name being validated, this field
1529 will be 'true' and the 'identifier' field will be 'example.com'.
1530 type: boolean
1531 required:
1532 - url
1533 type: object
1534 type: array
1535 certificate:
1536 description: Certificate is a copy of the PEM encoded certificate for
1537 this Order. This field will be populated after the order has been
1538 successfully finalized with the ACME server, and the order has transitioned
1539 to the 'valid' state.
1540 format: byte
1541 type: string
1542 failureTime:
1543 description: FailureTime stores the time that this order failed. This
1544 is used to influence garbage collection and back-off.
1545 format: date-time
1546 type: string
1547 finalizeURL:
1548 description: FinalizeURL of the Order. This is used to obtain certificates
1549 for this order once it has been completed.
1550 type: string
1551 reason:
1552 description: Reason optionally provides more information about a why
1553 the order is in the current state.
1554 type: string
1555 state:
1556 description: State contains the current state of this Order resource.
1557 States 'success' and 'expired' are 'final'
1558 enum:
1559 - valid
1560 - ready
1561 - pending
1562 - processing
1563 - invalid
1564 - expired
1565 - errored
1566 type: string
1567 url:
1568 description: URL of the Order. This will initially be empty when the
1569 resource is first created. The Order controller will populate this
1570 field when the Order is first processed. This field will be immutable
1571 after it is initially set.
1572 type: string
1573 type: object
1574 required:
1575 - metadata
1576 type: object
1577 version: v1alpha2
1578 versions:
1579 - name: v1alpha2
1580 served: true
1581 storage: true
1582status:
1583 acceptedNames:
1584 kind: ""
1585 plural: ""
1586 conditions: []
1587 storedVersions: []
1588---
1589
1590---
1591apiVersion: apiextensions.k8s.io/v1beta1
1592kind: CustomResourceDefinition
1593metadata:
1594 creationTimestamp: null
1595 name: certificaterequests.cert-manager.io
1596spec:
1597 additionalPrinterColumns:
1598 - JSONPath: .status.conditions[?(@.type=="Ready")].status
1599 name: Ready
1600 type: string
1601 - JSONPath: .spec.issuerRef.name
1602 name: Issuer
1603 priority: 1
1604 type: string
1605 - JSONPath: .status.conditions[?(@.type=="Ready")].message
1606 name: Status
1607 priority: 1
1608 type: string
1609 - JSONPath: .metadata.creationTimestamp
1610 description: CreationTimestamp is a timestamp representing the server time when
1611 this object was created. It is not guaranteed to be set in happens-before order
1612 across separate operations. Clients may not set this value. It is represented
1613 in RFC3339 form and is in UTC.
1614 name: Age
1615 type: date
1616 group: cert-manager.io
1617 names:
1618 kind: CertificateRequest
1619 listKind: CertificateRequestList
1620 plural: certificaterequests
1621 shortNames:
1622 - cr
1623 - crs
1624 singular: certificaterequest
1625 scope: Namespaced
1626 subresources:
1627 status: {}
1628 validation:
1629 openAPIV3Schema:
1630 description: CertificateRequest is a type to represent a Certificate Signing
1631 Request
1632 properties:
1633 apiVersion:
1634 description: 'APIVersion defines the versioned schema of this representation
1635 of an object. Servers should convert recognized schemas to the latest
1636 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1637 type: string
1638 kind:
1639 description: 'Kind is a string value representing the REST resource this
1640 object represents. Servers may infer this from the endpoint the client
1641 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1642 type: string
1643 metadata:
1644 type: object
1645 spec:
1646 description: CertificateRequestSpec defines the desired state of CertificateRequest
1647 properties:
1648 csr:
1649 description: Byte slice containing the PEM encoded CertificateSigningRequest
1650 format: byte
1651 type: string
1652 duration:
1653 description: Requested certificate default Duration
1654 type: string
1655 isCA:
1656 description: IsCA will mark the resulting certificate as valid for signing.
1657 This implies that the 'cert sign' usage is set
1658 type: boolean
1659 issuerRef:
1660 description: IssuerRef is a reference to the issuer for this CertificateRequest. If
1661 the 'kind' field is not set, or set to 'Issuer', an Issuer resource
1662 with the given name in the same namespace as the CertificateRequest
1663 will be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
1664 with the provided name will be used. The 'name' field in this stanza
1665 is required at all times. The group field refers to the API group
1666 of the issuer which defaults to 'cert-manager.io' if empty.
1667 properties:
1668 group:
1669 type: string
1670 kind:
1671 type: string
1672 name:
1673 type: string
1674 required:
1675 - name
1676 type: object
1677 usages:
1678 description: Usages is the set of x509 actions that are enabled for
1679 a given key. Defaults are ('digital signature', 'key encipherment')
1680 if empty
1681 items:
1682 description: 'KeyUsage specifies valid usage contexts for keys. See:
1683 https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12'
1684 enum:
1685 - signing
1686 - digital signature
1687 - content commitment
1688 - key encipherment
1689 - key agreement
1690 - data encipherment
1691 - cert sign
1692 - crl sign
1693 - encipher only
1694 - decipher only
1695 - any
1696 - server auth
1697 - client auth
1698 - code signing
1699 - email protection
1700 - s/mime
1701 - ipsec end system
1702 - ipsec tunnel
1703 - ipsec user
1704 - timestamping
1705 - ocsp signing
1706 - microsoft sgc
1707 - netscape sgc
1708 type: string
1709 type: array
1710 required:
1711 - issuerRef
1712 type: object
1713 status:
1714 description: CertificateStatus defines the observed state of CertificateRequest
1715 and resulting signed certificate.
1716 properties:
1717 ca:
1718 description: Byte slice containing the PEM encoded certificate authority
1719 of the signed certificate.
1720 format: byte
1721 type: string
1722 certificate:
1723 description: Byte slice containing a PEM encoded signed certificate
1724 resulting from the given certificate signing request.
1725 format: byte
1726 type: string
1727 conditions:
1728 items:
1729 description: CertificateRequestCondition contains condition information
1730 for a CertificateRequest.
1731 properties:
1732 lastTransitionTime:
1733 description: LastTransitionTime is the timestamp corresponding
1734 to the last status change of this condition.
1735 format: date-time
1736 type: string
1737 message:
1738 description: Message is a human readable description of the details
1739 of the last transition, complementing reason.
1740 type: string
1741 reason:
1742 description: Reason is a brief machine readable explanation for
1743 the condition's last transition.
1744 type: string
1745 status:
1746 description: Status of the condition, one of ('True', 'False',
1747 'Unknown').
1748 enum:
1749 - "True"
1750 - "False"
1751 - Unknown
1752 type: string
1753 type:
1754 description: Type of the condition, currently ('Ready').
1755 type: string
1756 required:
1757 - status
1758 - type
1759 type: object
1760 type: array
1761 failureTime:
1762 description: FailureTime stores the time that this CertificateRequest
1763 failed. This is used to influence garbage collection and back-off.
1764 format: date-time
1765 type: string
1766 type: object
1767 type: object
1768 version: v1alpha2
1769 versions:
1770 - name: v1alpha2
1771 served: true
1772 storage: true
1773status:
1774 acceptedNames:
1775 kind: ""
1776 plural: ""
1777 conditions: []
1778 storedVersions: []
1779---
1780
1781---
1782apiVersion: apiextensions.k8s.io/v1beta1
1783kind: CustomResourceDefinition
1784metadata:
1785 creationTimestamp: null
1786 name: certificates.cert-manager.io
1787spec:
1788 additionalPrinterColumns:
1789 - JSONPath: .status.conditions[?(@.type=="Ready")].status
1790 name: Ready
1791 type: string
1792 - JSONPath: .spec.secretName
1793 name: Secret
1794 type: string
1795 - JSONPath: .spec.issuerRef.name
1796 name: Issuer
1797 priority: 1
1798 type: string
1799 - JSONPath: .status.conditions[?(@.type=="Ready")].message
1800 name: Status
1801 priority: 1
1802 type: string
1803 - JSONPath: .metadata.creationTimestamp
1804 description: CreationTimestamp is a timestamp representing the server time when
1805 this object was created. It is not guaranteed to be set in happens-before order
1806 across separate operations. Clients may not set this value. It is represented
1807 in RFC3339 form and is in UTC.
1808 name: Age
1809 type: date
1810 group: cert-manager.io
1811 names:
1812 kind: Certificate
1813 listKind: CertificateList
1814 plural: certificates
1815 shortNames:
1816 - cert
1817 - certs
1818 singular: certificate
1819 scope: Namespaced
1820 subresources:
1821 status: {}
1822 validation:
1823 openAPIV3Schema:
1824 description: Certificate is a type to represent a Certificate from ACME
1825 properties:
1826 apiVersion:
1827 description: 'APIVersion defines the versioned schema of this representation
1828 of an object. Servers should convert recognized schemas to the latest
1829 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1830 type: string
1831 kind:
1832 description: 'Kind is a string value representing the REST resource this
1833 object represents. Servers may infer this from the endpoint the client
1834 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1835 type: string
1836 metadata:
1837 type: object
1838 spec:
1839 description: CertificateSpec defines the desired state of Certificate. A
1840 valid Certificate requires at least one of a CommonName, DNSName, or URISAN
1841 to be valid.
1842 properties:
1843 commonName:
1844 description: CommonName is a common name to be used on the Certificate.
1845 The CommonName should have a length of 64 characters or fewer to avoid
1846 generating invalid CSRs.
1847 type: string
1848 dnsNames:
1849 description: DNSNames is a list of subject alt names to be used on the
1850 Certificate.
1851 items:
1852 type: string
1853 type: array
1854 duration:
1855 description: Certificate default Duration
1856 type: string
1857 ipAddresses:
1858 description: IPAddresses is a list of IP addresses to be used on the
1859 Certificate
1860 items:
1861 type: string
1862 type: array
1863 isCA:
1864 description: IsCA will mark this Certificate as valid for signing. This
1865 implies that the 'cert sign' usage is set
1866 type: boolean
1867 issuerRef:
1868 description: IssuerRef is a reference to the issuer for this certificate.
1869 If the 'kind' field is not set, or set to 'Issuer', an Issuer resource
1870 with the given name in the same namespace as the Certificate will
1871 be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
1872 with the provided name will be used. The 'name' field in this stanza
1873 is required at all times.
1874 properties:
1875 group:
1876 type: string
1877 kind:
1878 type: string
1879 name:
1880 type: string
1881 required:
1882 - name
1883 type: object
1884 keyAlgorithm:
1885 description: KeyAlgorithm is the private key algorithm of the corresponding
1886 private key for this certificate. If provided, allowed values are
1887 either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize is
1888 not provided, key size of 256 will be used for "ecdsa" key algorithm
1889 and key size of 2048 will be used for "rsa" key algorithm.
1890 enum:
1891 - rsa
1892 - ecdsa
1893 type: string
1894 keyEncoding:
1895 description: KeyEncoding is the private key cryptography standards (PKCS)
1896 for this certificate's private key to be encoded in. If provided,
1897 allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8,
1898 respectively. If KeyEncoding is not specified, then PKCS#1 will be
1899 used by default.
1900 enum:
1901 - pkcs1
1902 - pkcs8
1903 type: string
1904 keySize:
1905 description: KeySize is the key bit size of the corresponding private
1906 key for this certificate. If provided, value must be between 2048
1907 and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa",
1908 and value must be one of (256, 384, 521) when KeyAlgorithm is set
1909 to "ecdsa".
1910 type: integer
1911 organization:
1912 description: Organization is the organization to be used on the Certificate
1913 items:
1914 type: string
1915 type: array
1916 renewBefore:
1917 description: Certificate renew before expiration duration
1918 type: string
1919 secretName:
1920 description: SecretName is the name of the secret resource to store
1921 this secret in
1922 type: string
1923 uriSANs:
1924 description: URISANs is a list of URI Subject Alternative Names to be
1925 set on this Certificate.
1926 items:
1927 type: string
1928 type: array
1929 usages:
1930 description: Usages is the set of x509 actions that are enabled for
1931 a given key. Defaults are ('digital signature', 'key encipherment')
1932 if empty
1933 items:
1934 description: 'KeyUsage specifies valid usage contexts for keys. See:
1935 https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12'
1936 enum:
1937 - signing
1938 - digital signature
1939 - content commitment
1940 - key encipherment
1941 - key agreement
1942 - data encipherment
1943 - cert sign
1944 - crl sign
1945 - encipher only
1946 - decipher only
1947 - any
1948 - server auth
1949 - client auth
1950 - code signing
1951 - email protection
1952 - s/mime
1953 - ipsec end system
1954 - ipsec tunnel
1955 - ipsec user
1956 - timestamping
1957 - ocsp signing
1958 - microsoft sgc
1959 - netscape sgc
1960 type: string
1961 type: array
1962 required:
1963 - issuerRef
1964 - secretName
1965 type: object
1966 status:
1967 description: CertificateStatus defines the observed state of Certificate
1968 properties:
1969 conditions:
1970 items:
1971 description: CertificateCondition contains condition information for
1972 an Certificate.
1973 properties:
1974 lastTransitionTime:
1975 description: LastTransitionTime is the timestamp corresponding
1976 to the last status change of this condition.
1977 format: date-time
1978 type: string
1979 message:
1980 description: Message is a human readable description of the details
1981 of the last transition, complementing reason.
1982 type: string
1983 reason:
1984 description: Reason is a brief machine readable explanation for
1985 the condition's last transition.
1986 type: string
1987 status:
1988 description: Status of the condition, one of ('True', 'False',
1989 'Unknown').
1990 enum:
1991 - "True"
1992 - "False"
1993 - Unknown
1994 type: string
1995 type:
1996 description: Type of the condition, currently ('Ready').
1997 type: string
1998 required:
1999 - status
2000 - type
2001 type: object
2002 type: array
2003 lastFailureTime:
2004 format: date-time
2005 type: string
2006 notAfter:
2007 description: The expiration time of the certificate stored in the secret
2008 named by this resource in spec.secretName.
2009 format: date-time
2010 type: string
2011 type: object
2012 type: object
2013 version: v1alpha2
2014 versions:
2015 - name: v1alpha2
2016 served: true
2017 storage: true
2018status:
2019 acceptedNames:
2020 kind: ""
2021 plural: ""
2022 conditions: []
2023 storedVersions: []
2024---
2025
2026---
2027apiVersion: apiextensions.k8s.io/v1beta1
2028kind: CustomResourceDefinition
2029metadata:
2030 creationTimestamp: null
2031 name: clusterissuers.cert-manager.io
2032spec:
2033 group: cert-manager.io
2034 names:
2035 kind: ClusterIssuer
2036 listKind: ClusterIssuerList
2037 plural: clusterissuers
2038 singular: clusterissuer
2039 scope: Cluster
2040 subresources:
2041 status: {}
2042 validation:
2043 openAPIV3Schema:
2044 properties:
2045 apiVersion:
2046 description: 'APIVersion defines the versioned schema of this representation
2047 of an object. Servers should convert recognized schemas to the latest
2048 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2049 type: string
2050 kind:
2051 description: 'Kind is a string value representing the REST resource this
2052 object represents. Servers may infer this from the endpoint the client
2053 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2054 type: string
2055 metadata:
2056 type: object
2057 spec:
2058 description: IssuerSpec is the specification of an Issuer. This includes
2059 any configuration required for the issuer.
2060 properties:
2061 acme:
2062 description: ACMEIssuer contains the specification for an ACME issuer
2063 properties:
2064 email:
2065 description: Email is the email for this account
2066 type: string
2067 privateKeySecretRef:
2068 description: PrivateKey is the name of a secret containing the private
2069 key for this user account.
2070 properties:
2071 key:
2072 description: The key of the secret to select from. Must be a
2073 valid secret key.
2074 type: string
2075 name:
2076 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
2077 TODO: Add other useful fields. apiVersion, kind, uid?'
2078 type: string
2079 required:
2080 - name
2081 type: object
2082 server:
2083 description: Server is the ACME server URL
2084 type: string
2085 skipTLSVerify:
2086 description: If true, skip verifying the ACME server TLS certificate
2087 type: boolean
2088 solvers:
2089 description: Solvers is a list of challenge solvers that will be
2090 used to solve ACME challenges for the matching domains.
2091 items:
2092 properties:
2093 dns01:
2094 properties:
2095 acmedns:
2096 description: ACMEIssuerDNS01ProviderAcmeDNS is a structure
2097 containing the configuration for ACME-DNS servers
2098 properties:
2099 accountSecretRef:
2100 properties:
2101 key:
2102 description: The key of the secret to select from.
2103 Must be a valid secret key.
2104 type: string
2105 name:
2106 description: 'Name of the referent. More info:
2107 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
2108 TODO: Add other useful fields. apiVersion, kind,
2109 uid?'
2110 type: string
2111 required:
2112 - name
2113 type: object
2114 host:
2115 type: string
2116 required:
2117 - accountSecretRef
2118 - host
2119 type: object
2120 akamai:
2121 description: ACMEIssuerDNS01ProviderAkamai is a structure
2122 containing the DNS configuration for Akamai DNS—Zone
2123 Record Management API
2124 properties:
2125 accessTokenSecretRef:
2126 properties:
2127 key:
2128 description: The key of the secret to select from.
2129 Must be a valid secret key.
2130 type: string
2131 name:
2132 description: 'Name of the referent. More info:
2133 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
2134 TODO: Add other useful fields. apiVersion, kind,
2135 uid?'
2136 type: string
2137 required:
2138 - name
2139 type: object
2140 clientSecretSecretRef:
2141 properties:
2142 key:
2143 description: The key of the secret to select from.
2144 Must be a valid secret key.
2145 type: string
2146 name:
2147 description: 'Name of the referent. More info:
2148 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
2149 TODO: Add other useful fields. apiVersion, kind,
2150 uid?'
2151 type: string
2152 required:
2153 - name
2154 type: object
2155 clientTokenSecretRef:
2156 properties:
2157 key:
2158 description: The key of the secret to select from.
2159 Must be a valid secret key.
2160 type: string
2161 name:
2162 description: 'Name of the referent. More info:
2163 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
2164 TODO: Add other useful fields. apiVersion, kind,
2165 uid?'
2166 type: string
2167 required:
2168 - name
2169 type: object
2170 serviceConsumerDomain:
2171 type: string
2172 required:
2173 - accessTokenSecretRef
2174 - clientSecretSecretRef
2175 - clientTokenSecretRef
2176 - serviceConsumerDomain
2177 type: object
2178 azuredns:
2179 description: ACMEIssuerDNS01ProviderAzureDNS is a structure
2180 containing the configuration for Azure DNS
2181 properties:
2182 clientID:
2183 type: string
2184 clientSecretSecretRef:
2185 properties:
2186 key:
2187 description: The key of the secret to select from.
2188 Must be a valid secret key.
2189 type: string
2190 name:
2191 description: 'Name of the referent. More info:
2192 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
2193 TODO: Add other useful fields. apiVersion, kind,
2194 uid?'
2195 type: string
2196 required:
2197 - name
2198 type: object
2199 environment:
2200 enum:
2201 - AzurePublicCloud
2202 - AzureChinaCloud
2203 - AzureGermanCloud
2204 - AzureUSGovernmentCloud
2205 type: string
2206 hostedZoneName:
2207 type: string
2208 resourceGroupName:
2209 type: string
2210 subscriptionID:
2211 type: string
2212 tenantID:
2213 type: string
2214 required:
2215 - clientID
2216 - clientSecretSecretRef
2217 - resourceGroupName
2218 - subscriptionID
2219 - tenantID
2220 type: object
2221 clouddns:
2222 description: ACMEIssuerDNS01ProviderCloudDNS is a structure
2223 containing the DNS configuration for Google Cloud DNS
2224 properties:
2225 project:
2226 type: string
2227 serviceAccountSecretRef:
2228 properties:
2229 key:
2230 description: The key of the secret to select from.
2231 Must be a valid secret key.
2232 type: string
2233 name:
2234 description: 'Name of the referent. More info:
2235 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
2236 TODO: Add other useful fields. apiVersion, kind,
2237 uid?'
2238 type: string
2239 required:
2240 - name
2241 type: object
2242 required:
2243 - project
2244 - serviceAccountSecretRef
2245 type: object
2246 cloudflare:
2247 description: ACMEIssuerDNS01ProviderCloudflare is a structure
2248 containing the DNS configuration for Cloudflare
2249 properties:
2250 apiKeySecretRef:
2251 properties:
2252 key:
2253 description: The key of the secret to select from.
2254 Must be a valid secret key.
2255 type: string
2256 name:
2257 description: 'Name of the referent. More info:
2258 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
2259 TODO: Add other useful fields. apiVersion, kind,
2260 uid?'
2261 type: string
2262 required:
2263 - name
2264 type: object
2265 email:
2266 type: string
2267 required:
2268 - apiKeySecretRef
2269 - email
2270 type: object
2271 cnameStrategy:
2272 description: CNAMEStrategy configures how the DNS01 provider
2273 should handle CNAME records when found in DNS zones.
2274 enum:
2275 - None
2276 - Follow
2277 type: string
2278 digitalocean:
2279 description: ACMEIssuerDNS01ProviderDigitalOcean is a
2280 structure containing the DNS configuration for DigitalOcean
2281 Domains
2282 properties:
2283 tokenSecretRef:
2284 properties:
2285 key:
2286 description: The key of the secret to select from.
2287 Must be a valid secret key.
2288 type: string
2289 name:
2290 description: 'Name of the referent. More info:
2291 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
2292 TODO: Add other useful fields. apiVersion, kind,
2293 uid?'
2294 type: string
2295 required:
2296 - name
2297 type: object
2298 required:
2299 - tokenSecretRef
2300 type: object
2301 rfc2136:
2302 description: ACMEIssuerDNS01ProviderRFC2136 is a structure
2303 containing the configuration for RFC2136 DNS
2304 properties:
2305 nameserver:
2306 description: 'The IP address of the DNS supporting
2307 RFC2136. Required. Note: FQDN is not a valid value,
2308 only IP.'
2309 type: string
2310 tsigAlgorithm:
2311 description: 'The TSIG Algorithm configured in the
2312 DNS supporting RFC2136. Used only when ``tsigSecretSecretRef``
2313 and ``tsigKeyName`` are defined. Supported values
2314 are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``,
2315 ``HMACSHA256`` or ``HMACSHA512``.'
2316 type: string
2317 tsigKeyName:
2318 description: The TSIG Key name configured in the DNS.
2319 If ``tsigSecretSecretRef`` is defined, this field
2320 is required.
2321 type: string
2322 tsigSecretSecretRef:
2323 description: The name of the secret containing the
2324 TSIG value. If ``tsigKeyName`` is defined, this
2325 field is required.
2326 properties:
2327 key:
2328 description: The key of the secret to select from.
2329 Must be a valid secret key.
2330 type: string
2331 name:
2332 description: 'Name of the referent. More info:
2333 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
2334 TODO: Add other useful fields. apiVersion, kind,
2335 uid?'
2336 type: string
2337 required:
2338 - name
2339 type: object
2340 required:
2341 - nameserver
2342 type: object
2343 route53:
2344 description: ACMEIssuerDNS01ProviderRoute53 is a structure
2345 containing the Route 53 configuration for AWS
2346 properties:
2347 accessKeyID:
2348 description: 'The AccessKeyID is used for authentication.
2349 If not set we fall-back to using env vars, shared
2350 credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
2351 type: string
2352 hostedZoneID:
2353 description: If set, the provider will manage only
2354 this zone in Route53 and will not do an lookup using
2355 the route53:ListHostedZonesByName api call.
2356 type: string
2357 region:
2358 description: Always set the region when using AccessKeyID
2359 and SecretAccessKey
2360 type: string
2361 role:
2362 description: Role is a Role ARN which the Route53
2363 provider will assume using either the explicit credentials
2364 AccessKeyID/SecretAccessKey or the inferred credentials
2365 from environment variables, shared credentials file
2366 or AWS Instance metadata
2367 type: string
2368 secretAccessKeySecretRef:
2369 description: The SecretAccessKey is used for authentication.
2370 If not set we fall-back to using env vars, shared
2371 credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
2372 properties:
2373 key:
2374 description: The key of the secret to select from.
2375 Must be a valid secret key.
2376 type: string
2377 name:
2378 description: 'Name of the referent. More info:
2379 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
2380 TODO: Add other useful fields. apiVersion, kind,
2381 uid?'
2382 type: string
2383 required:
2384 - name
2385 type: object
2386 required:
2387 - region
2388 type: object
2389 webhook:
2390 description: ACMEIssuerDNS01ProviderWebhook specifies
2391 configuration for a webhook DNS01 provider, including
2392 where to POST ChallengePayload resources.
2393 properties:
2394 config:
2395 description: Additional configuration that should
2396 be passed to the webhook apiserver when challenges
2397 are processed. This can contain arbitrary JSON data.
2398 Secret values should not be specified in this stanza.
2399 If secret values are needed (e.g. credentials for
2400 a DNS service), you should use a SecretKeySelector
2401 to reference a Secret resource. For details on the
2402 schema of this field, consult the webhook provider
2403 implementation's documentation.
2404 x-kubernetes-preserve-unknown-fields: true
2405 groupName:
2406 description: The API group name that should be used
2407 when POSTing ChallengePayload resources to the webhook
2408 apiserver. This should be the same as the GroupName
2409 specified in the webhook provider implementation.
2410 type: string
2411 solverName:
2412 description: The name of the solver to use, as defined
2413 in the webhook provider implementation. This will
2414 typically be the name of the provider, e.g. 'cloudflare'.
2415 type: string
2416 required:
2417 - groupName
2418 - solverName
2419 type: object
2420 type: object
2421 http01:
2422 description: ACMEChallengeSolverHTTP01 contains configuration
2423 detailing how to solve HTTP01 challenges within a Kubernetes
2424 cluster. Typically this is accomplished through creating
2425 'routes' of some description that configure ingress controllers
2426 to direct traffic to 'solver pods', which are responsible
2427 for responding to the ACME server's HTTP requests.
2428 properties:
2429 ingress:
2430 description: The ingress based HTTP01 challenge solver
2431 will solve challenges by creating or modifying Ingress
2432 resources in order to route requests for '/.well-known/acme-challenge/XYZ'
2433 to 'challenge solver' pods that are provisioned by cert-manager
2434 for each Challenge to be completed.
2435 properties:
2436 class:
2437 description: The ingress class to use when creating
2438 Ingress resources to solve ACME challenges that
2439 use this challenge solver. Only one of 'class' or
2440 'name' may be specified.
2441 type: string
2442 name:
2443 description: The name of the ingress resource that
2444 should have ACME challenge solving routes inserted
2445 into it in order to solve HTTP01 challenges. This
2446 is typically used in conjunction with ingress controllers
2447 like ingress-gce, which maintains a 1:1 mapping
2448 between external IPs and ingress resources.
2449 type: string
2450 podTemplate:
2451 description: Optional pod template used to configure
2452 the ACME challenge solver pods used for HTTP01 challenges
2453 properties:
2454 metadata:
2455 description: ObjectMeta overrides for the pod
2456 used to solve HTTP01 challenges. Only the 'labels'
2457 and 'annotations' fields may be set. If labels
2458 or annotations overlap with in-built values,
2459 the values here will override the in-built values.
2460 type: object
2461 spec:
2462 description: PodSpec defines overrides for the
2463 HTTP01 challenge solver pod. Only the 'nodeSelector',
2464 'affinity' and 'tolerations' fields are supported
2465 currently. All other fields will be ignored.
2466 properties:
2467 affinity:
2468 description: If specified, the pod's scheduling
2469 constraints
2470 properties:
2471 nodeAffinity:
2472 description: Describes node affinity scheduling
2473 rules for the pod.
2474 properties:
2475 preferredDuringSchedulingIgnoredDuringExecution:
2476 description: The scheduler will prefer
2477 to schedule pods to nodes that satisfy
2478 the affinity expressions specified
2479 by this field, but it may choose
2480 a node that violates one or more
2481 of the expressions. The node that
2482 is most preferred is the one with
2483 the greatest sum of weights, i.e.
2484 for each node that meets all of
2485 the scheduling requirements (resource
2486 request, requiredDuringScheduling
2487 affinity expressions, etc.), compute
2488 a sum by iterating through the elements
2489 of this field and adding "weight"
2490 to the sum if the node matches the
2491 corresponding matchExpressions;
2492 the node(s) with the highest sum
2493 are the most preferred.
2494 items:
2495 description: An empty preferred
2496 scheduling term matches all objects
2497 with implicit weight 0 (i.e. it's
2498 a no-op). A null preferred scheduling
2499 term matches no objects (i.e.
2500 is also a no-op).
2501 properties:
2502 preference:
2503 description: A node selector
2504 term, associated with the
2505 corresponding weight.
2506 properties:
2507 matchExpressions:
2508 description: A list of node
2509 selector requirements
2510 by node's labels.
2511 items:
2512 description: A node selector
2513 requirement is a selector
2514 that contains values,
2515 a key, and an operator
2516 that relates the key
2517 and values.
2518 properties:
2519 key:
2520 description: The label
2521 key that the selector
2522 applies to.
2523 type: string
2524 operator:
2525 description: Represents
2526 a key's relationship
2527 to a set of values.
2528 Valid operators
2529 are In, NotIn, Exists,
2530 DoesNotExist. Gt,
2531 and Lt.
2532 type: string
2533 values:
2534 description: An array
2535 of string values.
2536 If the operator
2537 is In or NotIn,
2538 the values array
2539 must be non-empty.
2540 If the operator
2541 is Exists or DoesNotExist,
2542 the values array
2543 must be empty. If
2544 the operator is
2545 Gt or Lt, the values
2546 array must have
2547 a single element,
2548 which will be interpreted
2549 as an integer. This
2550 array is replaced
2551 during a strategic
2552 merge patch.
2553 items:
2554 type: string
2555 type: array
2556 required:
2557 - key
2558 - operator
2559 type: object
2560 type: array
2561 matchFields:
2562 description: A list of node
2563 selector requirements
2564 by node's fields.
2565 items:
2566 description: A node selector
2567 requirement is a selector
2568 that contains values,
2569 a key, and an operator
2570 that relates the key
2571 and values.
2572 properties:
2573 key:
2574 description: The label
2575 key that the selector
2576 applies to.
2577 type: string
2578 operator:
2579 description: Represents
2580 a key's relationship
2581 to a set of values.
2582 Valid operators
2583 are In, NotIn, Exists,
2584 DoesNotExist. Gt,
2585 and Lt.
2586 type: string
2587 values:
2588 description: An array
2589 of string values.
2590 If the operator
2591 is In or NotIn,
2592 the values array
2593 must be non-empty.
2594 If the operator
2595 is Exists or DoesNotExist,
2596 the values array
2597 must be empty. If
2598 the operator is
2599 Gt or Lt, the values
2600 array must have
2601 a single element,
2602 which will be interpreted
2603 as an integer. This
2604 array is replaced
2605 during a strategic
2606 merge patch.
2607 items:
2608 type: string
2609 type: array
2610 required:
2611 - key
2612 - operator
2613 type: object
2614 type: array
2615 type: object
2616 weight:
2617 description: Weight associated
2618 with matching the corresponding
2619 nodeSelectorTerm, in the range
2620 1-100.
2621 format: int32
2622 type: integer
2623 required:
2624 - preference
2625 - weight
2626 type: object
2627 type: array
2628 requiredDuringSchedulingIgnoredDuringExecution:
2629 description: If the affinity requirements
2630 specified by this field are not
2631 met at scheduling time, the pod
2632 will not be scheduled onto the node.
2633 If the affinity requirements specified
2634 by this field cease to be met at
2635 some point during pod execution
2636 (e.g. due to an update), the system
2637 may or may not try to eventually
2638 evict the pod from its node.
2639 properties:
2640 nodeSelectorTerms:
2641 description: Required. A list
2642 of node selector terms. The
2643 terms are ORed.
2644 items:
2645 description: A null or empty
2646 node selector term matches
2647 no objects. The requirements
2648 of them are ANDed. The TopologySelectorTerm
2649 type implements a subset of
2650 the NodeSelectorTerm.
2651 properties:
2652 matchExpressions:
2653 description: A list of node
2654 selector requirements
2655 by node's labels.
2656 items:
2657 description: A node selector
2658 requirement is a selector
2659 that contains values,
2660 a key, and an operator
2661 that relates the key
2662 and values.
2663 properties:
2664 key:
2665 description: The label
2666 key that the selector
2667 applies to.
2668 type: string
2669 operator:
2670 description: Represents
2671 a key's relationship
2672 to a set of values.
2673 Valid operators
2674 are In, NotIn, Exists,
2675 DoesNotExist. Gt,
2676 and Lt.
2677 type: string
2678 values:
2679 description: An array
2680 of string values.
2681 If the operator
2682 is In or NotIn,
2683 the values array
2684 must be non-empty.
2685 If the operator
2686 is Exists or DoesNotExist,
2687 the values array
2688 must be empty. If
2689 the operator is
2690 Gt or Lt, the values
2691 array must have
2692 a single element,
2693 which will be interpreted
2694 as an integer. This
2695 array is replaced
2696 during a strategic
2697 merge patch.
2698 items:
2699 type: string
2700 type: array
2701 required:
2702 - key
2703 - operator
2704 type: object
2705 type: array
2706 matchFields:
2707 description: A list of node
2708 selector requirements
2709 by node's fields.
2710 items:
2711 description: A node selector
2712 requirement is a selector
2713 that contains values,
2714 a key, and an operator
2715 that relates the key
2716 and values.
2717 properties:
2718 key:
2719 description: The label
2720 key that the selector
2721 applies to.
2722 type: string
2723 operator:
2724 description: Represents
2725 a key's relationship
2726 to a set of values.
2727 Valid operators
2728 are In, NotIn, Exists,
2729 DoesNotExist. Gt,
2730 and Lt.
2731 type: string
2732 values:
2733 description: An array
2734 of string values.
2735 If the operator
2736 is In or NotIn,
2737 the values array
2738 must be non-empty.
2739 If the operator
2740 is Exists or DoesNotExist,
2741 the values array
2742 must be empty. If
2743 the operator is
2744 Gt or Lt, the values
2745 array must have
2746 a single element,
2747 which will be interpreted
2748 as an integer. This
2749 array is replaced
2750 during a strategic
2751 merge patch.
2752 items:
2753 type: string
2754 type: array
2755 required:
2756 - key
2757 - operator
2758 type: object
2759 type: array
2760 type: object
2761 type: array
2762 required:
2763 - nodeSelectorTerms
2764 type: object
2765 type: object
2766 podAffinity:
2767 description: Describes pod affinity scheduling
2768 rules (e.g. co-locate this pod in the
2769 same node, zone, etc. as some other
2770 pod(s)).
2771 properties:
2772 preferredDuringSchedulingIgnoredDuringExecution:
2773 description: The scheduler will prefer
2774 to schedule pods to nodes that satisfy
2775 the affinity expressions specified
2776 by this field, but it may choose
2777 a node that violates one or more
2778 of the expressions. The node that
2779 is most preferred is the one with
2780 the greatest sum of weights, i.e.
2781 for each node that meets all of
2782 the scheduling requirements (resource
2783 request, requiredDuringScheduling
2784 affinity expressions, etc.), compute
2785 a sum by iterating through the elements
2786 of this field and adding "weight"
2787 to the sum if the node has pods
2788 which matches the corresponding
2789 podAffinityTerm; the node(s) with
2790 the highest sum are the most preferred.
2791 items:
2792 description: The weights of all
2793 of the matched WeightedPodAffinityTerm
2794 fields are added per-node to find
2795 the most preferred node(s)
2796 properties:
2797 podAffinityTerm:
2798 description: Required. A pod
2799 affinity term, associated
2800 with the corresponding weight.
2801 properties:
2802 labelSelector:
2803 description: A label query
2804 over a set of resources,
2805 in this case pods.
2806 properties:
2807 matchExpressions:
2808 description: matchExpressions
2809 is a list of label
2810 selector requirements.
2811 The requirements are
2812 ANDed.
2813 items:
2814 description: A label
2815 selector requirement
2816 is a selector that
2817 contains values,
2818 a key, and an operator
2819 that relates the
2820 key and values.
2821 properties:
2822 key:
2823 description: key
2824 is the label
2825 key that the
2826 selector applies
2827 to.
2828 type: string
2829 operator:
2830 description: operator
2831 represents a
2832 key's relationship
2833 to a set of
2834 values. Valid
2835 operators are
2836 In, NotIn, Exists
2837 and DoesNotExist.
2838 type: string
2839 values:
2840 description: values
2841 is an array
2842 of string values.
2843 If the operator
2844 is In or NotIn,
2845 the values array
2846 must be non-empty.
2847 If the operator
2848 is Exists or
2849 DoesNotExist,
2850 the values array
2851 must be empty.
2852 This array is
2853 replaced during
2854 a strategic
2855 merge patch.
2856 items:
2857 type: string
2858 type: array
2859 required:
2860 - key
2861 - operator
2862 type: object
2863 type: array
2864 matchLabels:
2865 additionalProperties:
2866 type: string
2867 description: matchLabels
2868 is a map of {key,value}
2869 pairs. A single {key,value}
2870 in the matchLabels
2871 map is equivalent
2872 to an element of matchExpressions,
2873 whose key field is
2874 "key", the operator
2875 is "In", and the values
2876 array contains only
2877 "value". The requirements
2878 are ANDed.
2879 type: object
2880 type: object
2881 namespaces:
2882 description: namespaces
2883 specifies which namespaces
2884 the labelSelector applies
2885 to (matches against);
2886 null or empty list means
2887 "this pod's namespace"
2888 items:
2889 type: string
2890 type: array
2891 topologyKey:
2892 description: This pod should
2893 be co-located (affinity)
2894 or not co-located (anti-affinity)
2895 with the pods matching
2896 the labelSelector in the
2897 specified namespaces,
2898 where co-located is defined
2899 as running on a node whose
2900 value of the label with
2901 key topologyKey matches
2902 that of any node on which
2903 any of the selected pods
2904 is running. Empty topologyKey
2905 is not allowed.
2906 type: string
2907 required:
2908 - topologyKey
2909 type: object
2910 weight:
2911 description: weight associated
2912 with matching the corresponding
2913 podAffinityTerm, in the range
2914 1-100.
2915 format: int32
2916 type: integer
2917 required:
2918 - podAffinityTerm
2919 - weight
2920 type: object
2921 type: array
2922 requiredDuringSchedulingIgnoredDuringExecution:
2923 description: If the affinity requirements
2924 specified by this field are not
2925 met at scheduling time, the pod
2926 will not be scheduled onto the node.
2927 If the affinity requirements specified
2928 by this field cease to be met at
2929 some point during pod execution
2930 (e.g. due to a pod label update),
2931 the system may or may not try to
2932 eventually evict the pod from its
2933 node. When there are multiple elements,
2934 the lists of nodes corresponding
2935 to each podAffinityTerm are intersected,
2936 i.e. all terms must be satisfied.
2937 items:
2938 description: Defines a set of pods
2939 (namely those matching the labelSelector
2940 relative to the given namespace(s))
2941 that this pod should be co-located
2942 (affinity) or not co-located (anti-affinity)
2943 with, where co-located is defined
2944 as running on a node whose value
2945 of the label with key <topologyKey>
2946 matches that of any node on which
2947 a pod of the set of pods is running
2948 properties:
2949 labelSelector:
2950 description: A label query over
2951 a set of resources, in this
2952 case pods.
2953 properties:
2954 matchExpressions:
2955 description: matchExpressions
2956 is a list of label selector
2957 requirements. The requirements
2958 are ANDed.
2959 items:
2960 description: A label selector
2961 requirement is a selector
2962 that contains values,
2963 a key, and an operator
2964 that relates the key
2965 and values.
2966 properties:
2967 key:
2968 description: key is
2969 the label key that
2970 the selector applies
2971 to.
2972 type: string
2973 operator:
2974 description: operator
2975 represents a key's
2976 relationship to
2977 a set of values.
2978 Valid operators
2979 are In, NotIn, Exists
2980 and DoesNotExist.
2981 type: string
2982 values:
2983 description: values
2984 is an array of string
2985 values. If the operator
2986 is In or NotIn,
2987 the values array
2988 must be non-empty.
2989 If the operator
2990 is Exists or DoesNotExist,
2991 the values array
2992 must be empty. This
2993 array is replaced
2994 during a strategic
2995 merge patch.
2996 items:
2997 type: string
2998 type: array
2999 required:
3000 - key
3001 - operator
3002 type: object
3003 type: array
3004 matchLabels:
3005 additionalProperties:
3006 type: string
3007 description: matchLabels
3008 is a map of {key,value}
3009 pairs. A single {key,value}
3010 in the matchLabels map
3011 is equivalent to an element
3012 of matchExpressions, whose
3013 key field is "key", the
3014 operator is "In", and
3015 the values array contains
3016 only "value". The requirements
3017 are ANDed.
3018 type: object
3019 type: object
3020 namespaces:
3021 description: namespaces specifies
3022 which namespaces the labelSelector
3023 applies to (matches against);
3024 null or empty list means "this
3025 pod's namespace"
3026 items:
3027 type: string
3028 type: array
3029 topologyKey:
3030 description: This pod should
3031 be co-located (affinity) or
3032 not co-located (anti-affinity)
3033 with the pods matching the
3034 labelSelector in the specified
3035 namespaces, where co-located
3036 is defined as running on a
3037 node whose value of the label
3038 with key topologyKey matches
3039 that of any node on which
3040 any of the selected pods is
3041 running. Empty topologyKey
3042 is not allowed.
3043 type: string
3044 required:
3045 - topologyKey
3046 type: object
3047 type: array
3048 type: object
3049 podAntiAffinity:
3050 description: Describes pod anti-affinity
3051 scheduling rules (e.g. avoid putting
3052 this pod in the same node, zone, etc.
3053 as some other pod(s)).
3054 properties:
3055 preferredDuringSchedulingIgnoredDuringExecution:
3056 description: The scheduler will prefer
3057 to schedule pods to nodes that satisfy
3058 the anti-affinity expressions specified
3059 by this field, but it may choose
3060 a node that violates one or more
3061 of the expressions. The node that
3062 is most preferred is the one with
3063 the greatest sum of weights, i.e.
3064 for each node that meets all of
3065 the scheduling requirements (resource
3066 request, requiredDuringScheduling
3067 anti-affinity expressions, etc.),
3068 compute a sum by iterating through
3069 the elements of this field and adding
3070 "weight" to the sum if the node
3071 has pods which matches the corresponding
3072 podAffinityTerm; the node(s) with
3073 the highest sum are the most preferred.
3074 items:
3075 description: The weights of all
3076 of the matched WeightedPodAffinityTerm
3077 fields are added per-node to find
3078 the most preferred node(s)
3079 properties:
3080 podAffinityTerm:
3081 description: Required. A pod
3082 affinity term, associated
3083 with the corresponding weight.
3084 properties:
3085 labelSelector:
3086 description: A label query
3087 over a set of resources,
3088 in this case pods.
3089 properties:
3090 matchExpressions:
3091 description: matchExpressions
3092 is a list of label
3093 selector requirements.
3094 The requirements are
3095 ANDed.
3096 items:
3097 description: A label
3098 selector requirement
3099 is a selector that
3100 contains values,
3101 a key, and an operator
3102 that relates the
3103 key and values.
3104 properties:
3105 key:
3106 description: key
3107 is the label
3108 key that the
3109 selector applies
3110 to.
3111 type: string
3112 operator:
3113 description: operator
3114 represents a
3115 key's relationship
3116 to a set of
3117 values. Valid
3118 operators are
3119 In, NotIn, Exists
3120 and DoesNotExist.
3121 type: string
3122 values:
3123 description: values
3124 is an array
3125 of string values.
3126 If the operator
3127 is In or NotIn,
3128 the values array
3129 must be non-empty.
3130 If the operator
3131 is Exists or
3132 DoesNotExist,
3133 the values array
3134 must be empty.
3135 This array is
3136 replaced during
3137 a strategic
3138 merge patch.
3139 items:
3140 type: string
3141 type: array
3142 required:
3143 - key
3144 - operator
3145 type: object
3146 type: array
3147 matchLabels:
3148 additionalProperties:
3149 type: string
3150 description: matchLabels
3151 is a map of {key,value}
3152 pairs. A single {key,value}
3153 in the matchLabels
3154 map is equivalent
3155 to an element of matchExpressions,
3156 whose key field is
3157 "key", the operator
3158 is "In", and the values
3159 array contains only
3160 "value". The requirements
3161 are ANDed.
3162 type: object
3163 type: object
3164 namespaces:
3165 description: namespaces
3166 specifies which namespaces
3167 the labelSelector applies
3168 to (matches against);
3169 null or empty list means
3170 "this pod's namespace"
3171 items:
3172 type: string
3173 type: array
3174 topologyKey:
3175 description: This pod should
3176 be co-located (affinity)
3177 or not co-located (anti-affinity)
3178 with the pods matching
3179 the labelSelector in the
3180 specified namespaces,
3181 where co-located is defined
3182 as running on a node whose
3183 value of the label with
3184 key topologyKey matches
3185 that of any node on which
3186 any of the selected pods
3187 is running. Empty topologyKey
3188 is not allowed.
3189 type: string
3190 required:
3191 - topologyKey
3192 type: object
3193 weight:
3194 description: weight associated
3195 with matching the corresponding
3196 podAffinityTerm, in the range
3197 1-100.
3198 format: int32
3199 type: integer
3200 required:
3201 - podAffinityTerm
3202 - weight
3203 type: object
3204 type: array
3205 requiredDuringSchedulingIgnoredDuringExecution:
3206 description: If the anti-affinity
3207 requirements specified by this field
3208 are not met at scheduling time,
3209 the pod will not be scheduled onto
3210 the node. If the anti-affinity requirements
3211 specified by this field cease to
3212 be met at some point during pod
3213 execution (e.g. due to a pod label
3214 update), the system may or may not
3215 try to eventually evict the pod
3216 from its node. When there are multiple
3217 elements, the lists of nodes corresponding
3218 to each podAffinityTerm are intersected,
3219 i.e. all terms must be satisfied.
3220 items:
3221 description: Defines a set of pods
3222 (namely those matching the labelSelector
3223 relative to the given namespace(s))
3224 that this pod should be co-located
3225 (affinity) or not co-located (anti-affinity)
3226 with, where co-located is defined
3227 as running on a node whose value
3228 of the label with key <topologyKey>
3229 matches that of any node on which
3230 a pod of the set of pods is running
3231 properties:
3232 labelSelector:
3233 description: A label query over
3234 a set of resources, in this
3235 case pods.
3236 properties:
3237 matchExpressions:
3238 description: matchExpressions
3239 is a list of label selector
3240 requirements. The requirements
3241 are ANDed.
3242 items:
3243 description: A label selector
3244 requirement is a selector
3245 that contains values,
3246 a key, and an operator
3247 that relates the key
3248 and values.
3249 properties:
3250 key:
3251 description: key is
3252 the label key that
3253 the selector applies
3254 to.
3255 type: string
3256 operator:
3257 description: operator
3258 represents a key's
3259 relationship to
3260 a set of values.
3261 Valid operators
3262 are In, NotIn, Exists
3263 and DoesNotExist.
3264 type: string
3265 values:
3266 description: values
3267 is an array of string
3268 values. If the operator
3269 is In or NotIn,
3270 the values array
3271 must be non-empty.
3272 If the operator
3273 is Exists or DoesNotExist,
3274 the values array
3275 must be empty. This
3276 array is replaced
3277 during a strategic
3278 merge patch.
3279 items:
3280 type: string
3281 type: array
3282 required:
3283 - key
3284 - operator
3285 type: object
3286 type: array
3287 matchLabels:
3288 additionalProperties:
3289 type: string
3290 description: matchLabels
3291 is a map of {key,value}
3292 pairs. A single {key,value}
3293 in the matchLabels map
3294 is equivalent to an element
3295 of matchExpressions, whose
3296 key field is "key", the
3297 operator is "In", and
3298 the values array contains
3299 only "value". The requirements
3300 are ANDed.
3301 type: object
3302 type: object
3303 namespaces:
3304 description: namespaces specifies
3305 which namespaces the labelSelector
3306 applies to (matches against);
3307 null or empty list means "this
3308 pod's namespace"
3309 items:
3310 type: string
3311 type: array
3312 topologyKey:
3313 description: This pod should
3314 be co-located (affinity) or
3315 not co-located (anti-affinity)
3316 with the pods matching the
3317 labelSelector in the specified
3318 namespaces, where co-located
3319 is defined as running on a
3320 node whose value of the label
3321 with key topologyKey matches
3322 that of any node on which
3323 any of the selected pods is
3324 running. Empty topologyKey
3325 is not allowed.
3326 type: string
3327 required:
3328 - topologyKey
3329 type: object
3330 type: array
3331 type: object
3332 type: object
3333 nodeSelector:
3334 additionalProperties:
3335 type: string
3336 description: 'NodeSelector is a selector which
3337 must be true for the pod to fit on a node.
3338 Selector which must match a node''s labels
3339 for the pod to be scheduled on that node.
3340 More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
3341 type: object
3342 tolerations:
3343 description: If specified, the pod's tolerations.
3344 items:
3345 description: The pod this Toleration is
3346 attached to tolerates any taint that matches
3347 the triple <key,value,effect> using the
3348 matching operator <operator>.
3349 properties:
3350 effect:
3351 description: Effect indicates the taint
3352 effect to match. Empty means match
3353 all taint effects. When specified,
3354 allowed values are NoSchedule, PreferNoSchedule
3355 and NoExecute.
3356 type: string
3357 key:
3358 description: Key is the taint key that
3359 the toleration applies to. Empty means
3360 match all taint keys. If the key is
3361 empty, operator must be Exists; this
3362 combination means to match all values
3363 and all keys.
3364 type: string
3365 operator:
3366 description: Operator represents a key's
3367 relationship to the value. Valid operators
3368 are Exists and Equal. Defaults to
3369 Equal. Exists is equivalent to wildcard
3370 for value, so that a pod can tolerate
3371 all taints of a particular category.
3372 type: string
3373 tolerationSeconds:
3374 description: TolerationSeconds represents
3375 the period of time the toleration
3376 (which must be of effect NoExecute,
3377 otherwise this field is ignored) tolerates
3378 the taint. By default, it is not set,
3379 which means tolerate the taint forever
3380 (do not evict). Zero and negative
3381 values will be treated as 0 (evict
3382 immediately) by the system.
3383 format: int64
3384 type: integer
3385 value:
3386 description: Value is the taint value
3387 the toleration matches to. If the
3388 operator is Exists, the value should
3389 be empty, otherwise just a regular
3390 string.
3391 type: string
3392 type: object
3393 type: array
3394 type: object
3395 type: object
3396 serviceType:
3397 description: Optional service type for Kubernetes
3398 solver service
3399 type: string
3400 type: object
3401 type: object
3402 selector:
3403 description: Selector selects a set of DNSNames on the Certificate
3404 resource that should be solved using this challenge solver.
3405 properties:
3406 dnsNames:
3407 description: List of DNSNames that this solver will be
3408 used to solve. If specified and a match is found, a
3409 dnsNames selector will take precedence over a dnsZones
3410 selector. If multiple solvers match with the same dnsNames
3411 value, the solver with the most matching labels in matchLabels
3412 will be selected. If neither has more matches, the solver
3413 defined earlier in the list will be selected.
3414 items:
3415 type: string
3416 type: array
3417 dnsZones:
3418 description: List of DNSZones that this solver will be
3419 used to solve. The most specific DNS zone match specified
3420 here will take precedence over other DNS zone matches,
3421 so a solver specifying sys.example.com will be selected
3422 over one specifying example.com for the domain www.sys.example.com.
3423 If multiple solvers match with the same dnsZones value,
3424 the solver with the most matching labels in matchLabels
3425 will be selected. If neither has more matches, the solver
3426 defined earlier in the list will be selected.
3427 items:
3428 type: string
3429 type: array
3430 matchLabels:
3431 additionalProperties:
3432 type: string
3433 description: A label selector that is used to refine the
3434 set of certificate's that this challenge solver will
3435 apply to.
3436 type: object
3437 type: object
3438 type: object
3439 type: array
3440 required:
3441 - privateKeySecretRef
3442 - server
3443 type: object
3444 ca:
3445 properties:
3446 secretName:
3447 description: SecretName is the name of the secret used to sign Certificates
3448 issued by this Issuer.
3449 type: string
3450 required:
3451 - secretName
3452 type: object
3453 selfSigned:
3454 type: object
3455 vault:
3456 properties:
3457 auth:
3458 description: Vault authentication
3459 properties:
3460 appRole:
3461 description: This Secret contains a AppRole and Secret
3462 properties:
3463 path:
3464 description: Where the authentication path is mounted in
3465 Vault.
3466 type: string
3467 roleId:
3468 type: string
3469 secretRef:
3470 properties:
3471 key:
3472 description: The key of the secret to select from. Must
3473 be a valid secret key.
3474 type: string
3475 name:
3476 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3477 TODO: Add other useful fields. apiVersion, kind, uid?'
3478 type: string
3479 required:
3480 - name
3481 type: object
3482 required:
3483 - path
3484 - roleId
3485 - secretRef
3486 type: object
3487 kubernetes:
3488 description: This contains a Role and Secret with a ServiceAccount
3489 token to authenticate with vault.
3490 properties:
3491 mountPath:
3492 description: The value here will be used as part of the
3493 path used when authenticating with vault, for example
3494 if you set a value of "foo", the path used will be `/v1/auth/foo/login`.
3495 If unspecified, the default value "kubernetes" will be
3496 used.
3497 type: string
3498 role:
3499 description: A required field containing the Vault Role
3500 to assume. A Role binds a Kubernetes ServiceAccount with
3501 a set of Vault policies.
3502 type: string
3503 secretRef:
3504 description: The required Secret field containing a Kubernetes
3505 ServiceAccount JWT used for authenticating with Vault.
3506 Use of 'ambient credentials' is not supported.
3507 properties:
3508 key:
3509 description: The key of the secret to select from. Must
3510 be a valid secret key.
3511 type: string
3512 name:
3513 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3514 TODO: Add other useful fields. apiVersion, kind, uid?'
3515 type: string
3516 required:
3517 - name
3518 type: object
3519 required:
3520 - role
3521 - secretRef
3522 type: object
3523 tokenSecretRef:
3524 description: This Secret contains the Vault token key
3525 properties:
3526 key:
3527 description: The key of the secret to select from. Must
3528 be a valid secret key.
3529 type: string
3530 name:
3531 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3532 TODO: Add other useful fields. apiVersion, kind, uid?'
3533 type: string
3534 required:
3535 - name
3536 type: object
3537 type: object
3538 caBundle:
3539 description: Base64 encoded CA bundle to validate Vault server certificate.
3540 Only used if the Server URL is using HTTPS protocol. This parameter
3541 is ignored for plain HTTP protocol connection. If not set the
3542 system root certificates are used to validate the TLS connection.
3543 format: byte
3544 type: string
3545 path:
3546 description: Vault URL path to the certificate role
3547 type: string
3548 server:
3549 description: Server is the vault connection address
3550 type: string
3551 required:
3552 - auth
3553 - path
3554 - server
3555 type: object
3556 venafi:
3557 description: VenafiIssuer describes issuer configuration details for
3558 Venafi Cloud.
3559 properties:
3560 cloud:
3561 description: Cloud specifies the Venafi cloud configuration settings.
3562 Only one of TPP or Cloud may be specified.
3563 properties:
3564 apiTokenSecretRef:
3565 description: APITokenSecretRef is a secret key selector for
3566 the Venafi Cloud API token.
3567 properties:
3568 key:
3569 description: The key of the secret to select from. Must
3570 be a valid secret key.
3571 type: string
3572 name:
3573 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3574 TODO: Add other useful fields. apiVersion, kind, uid?'
3575 type: string
3576 required:
3577 - name
3578 type: object
3579 url:
3580 description: URL is the base URL for Venafi Cloud
3581 type: string
3582 required:
3583 - apiTokenSecretRef
3584 - url
3585 type: object
3586 tpp:
3587 description: TPP specifies Trust Protection Platform configuration
3588 settings. Only one of TPP or Cloud may be specified.
3589 properties:
3590 caBundle:
3591 description: CABundle is a PEM encoded TLS certifiate to use
3592 to verify connections to the TPP instance. If specified, system
3593 roots will not be used and the issuing CA for the TPP instance
3594 must be verifiable using the provided root. If not specified,
3595 the connection will be verified using the cert-manager system
3596 root certificates.
3597 format: byte
3598 type: string
3599 credentialsRef:
3600 description: CredentialsRef is a reference to a Secret containing
3601 the username and password for the TPP server. The secret must
3602 contain two keys, 'username' and 'password'.
3603 properties:
3604 name:
3605 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3606 TODO: Add other useful fields. apiVersion, kind, uid?'
3607 type: string
3608 required:
3609 - name
3610 type: object
3611 url:
3612 description: URL is the base URL for the Venafi TPP instance
3613 type: string
3614 required:
3615 - credentialsRef
3616 - url
3617 type: object
3618 zone:
3619 description: Zone is the Venafi Policy Zone to use for this issuer.
3620 All requests made to the Venafi platform will be restricted by
3621 the named zone policy. This field is required.
3622 type: string
3623 required:
3624 - zone
3625 type: object
3626 type: object
3627 status:
3628 description: IssuerStatus contains status information about an Issuer
3629 properties:
3630 acme:
3631 properties:
3632 lastRegisteredEmail:
3633 description: LastRegisteredEmail is the email associated with the
3634 latest registered ACME account, in order to track changes made
3635 to registered account associated with the Issuer
3636 type: string
3637 uri:
3638 description: URI is the unique account identifier, which can also
3639 be used to retrieve account details from the CA
3640 type: string
3641 type: object
3642 conditions:
3643 items:
3644 description: IssuerCondition contains condition information for an
3645 Issuer.
3646 properties:
3647 lastTransitionTime:
3648 description: LastTransitionTime is the timestamp corresponding
3649 to the last status change of this condition.
3650 format: date-time
3651 type: string
3652 message:
3653 description: Message is a human readable description of the details
3654 of the last transition, complementing reason.
3655 type: string
3656 reason:
3657 description: Reason is a brief machine readable explanation for
3658 the condition's last transition.
3659 type: string
3660 status:
3661 description: Status of the condition, one of ('True', 'False',
3662 'Unknown').
3663 enum:
3664 - "True"
3665 - "False"
3666 - Unknown
3667 type: string
3668 type:
3669 description: Type of the condition, currently ('Ready').
3670 type: string
3671 required:
3672 - status
3673 - type
3674 type: object
3675 type: array
3676 type: object
3677 type: object
3678 version: v1alpha2
3679 versions:
3680 - name: v1alpha2
3681 served: true
3682 storage: true
3683status:
3684 acceptedNames:
3685 kind: ""
3686 plural: ""
3687 conditions: []
3688 storedVersions: []
3689---
3690
3691---
3692apiVersion: apiextensions.k8s.io/v1beta1
3693kind: CustomResourceDefinition
3694metadata:
3695 creationTimestamp: null
3696 name: issuers.cert-manager.io
3697spec:
3698 group: cert-manager.io
3699 names:
3700 kind: Issuer
3701 listKind: IssuerList
3702 plural: issuers
3703 singular: issuer
3704 scope: Namespaced
3705 subresources:
3706 status: {}
3707 validation:
3708 openAPIV3Schema:
3709 properties:
3710 apiVersion:
3711 description: 'APIVersion defines the versioned schema of this representation
3712 of an object. Servers should convert recognized schemas to the latest
3713 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
3714 type: string
3715 kind:
3716 description: 'Kind is a string value representing the REST resource this
3717 object represents. Servers may infer this from the endpoint the client
3718 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
3719 type: string
3720 metadata:
3721 type: object
3722 spec:
3723 description: IssuerSpec is the specification of an Issuer. This includes
3724 any configuration required for the issuer.
3725 properties:
3726 acme:
3727 description: ACMEIssuer contains the specification for an ACME issuer
3728 properties:
3729 email:
3730 description: Email is the email for this account
3731 type: string
3732 privateKeySecretRef:
3733 description: PrivateKey is the name of a secret containing the private
3734 key for this user account.
3735 properties:
3736 key:
3737 description: The key of the secret to select from. Must be a
3738 valid secret key.
3739 type: string
3740 name:
3741 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3742 TODO: Add other useful fields. apiVersion, kind, uid?'
3743 type: string
3744 required:
3745 - name
3746 type: object
3747 server:
3748 description: Server is the ACME server URL
3749 type: string
3750 skipTLSVerify:
3751 description: If true, skip verifying the ACME server TLS certificate
3752 type: boolean
3753 solvers:
3754 description: Solvers is a list of challenge solvers that will be
3755 used to solve ACME challenges for the matching domains.
3756 items:
3757 properties:
3758 dns01:
3759 properties:
3760 acmedns:
3761 description: ACMEIssuerDNS01ProviderAcmeDNS is a structure
3762 containing the configuration for ACME-DNS servers
3763 properties:
3764 accountSecretRef:
3765 properties:
3766 key:
3767 description: The key of the secret to select from.
3768 Must be a valid secret key.
3769 type: string
3770 name:
3771 description: 'Name of the referent. More info:
3772 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3773 TODO: Add other useful fields. apiVersion, kind,
3774 uid?'
3775 type: string
3776 required:
3777 - name
3778 type: object
3779 host:
3780 type: string
3781 required:
3782 - accountSecretRef
3783 - host
3784 type: object
3785 akamai:
3786 description: ACMEIssuerDNS01ProviderAkamai is a structure
3787 containing the DNS configuration for Akamai DNS—Zone
3788 Record Management API
3789 properties:
3790 accessTokenSecretRef:
3791 properties:
3792 key:
3793 description: The key of the secret to select from.
3794 Must be a valid secret key.
3795 type: string
3796 name:
3797 description: 'Name of the referent. More info:
3798 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3799 TODO: Add other useful fields. apiVersion, kind,
3800 uid?'
3801 type: string
3802 required:
3803 - name
3804 type: object
3805 clientSecretSecretRef:
3806 properties:
3807 key:
3808 description: The key of the secret to select from.
3809 Must be a valid secret key.
3810 type: string
3811 name:
3812 description: 'Name of the referent. More info:
3813 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3814 TODO: Add other useful fields. apiVersion, kind,
3815 uid?'
3816 type: string
3817 required:
3818 - name
3819 type: object
3820 clientTokenSecretRef:
3821 properties:
3822 key:
3823 description: The key of the secret to select from.
3824 Must be a valid secret key.
3825 type: string
3826 name:
3827 description: 'Name of the referent. More info:
3828 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3829 TODO: Add other useful fields. apiVersion, kind,
3830 uid?'
3831 type: string
3832 required:
3833 - name
3834 type: object
3835 serviceConsumerDomain:
3836 type: string
3837 required:
3838 - accessTokenSecretRef
3839 - clientSecretSecretRef
3840 - clientTokenSecretRef
3841 - serviceConsumerDomain
3842 type: object
3843 azuredns:
3844 description: ACMEIssuerDNS01ProviderAzureDNS is a structure
3845 containing the configuration for Azure DNS
3846 properties:
3847 clientID:
3848 type: string
3849 clientSecretSecretRef:
3850 properties:
3851 key:
3852 description: The key of the secret to select from.
3853 Must be a valid secret key.
3854 type: string
3855 name:
3856 description: 'Name of the referent. More info:
3857 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3858 TODO: Add other useful fields. apiVersion, kind,
3859 uid?'
3860 type: string
3861 required:
3862 - name
3863 type: object
3864 environment:
3865 enum:
3866 - AzurePublicCloud
3867 - AzureChinaCloud
3868 - AzureGermanCloud
3869 - AzureUSGovernmentCloud
3870 type: string
3871 hostedZoneName:
3872 type: string
3873 resourceGroupName:
3874 type: string
3875 subscriptionID:
3876 type: string
3877 tenantID:
3878 type: string
3879 required:
3880 - clientID
3881 - clientSecretSecretRef
3882 - resourceGroupName
3883 - subscriptionID
3884 - tenantID
3885 type: object
3886 clouddns:
3887 description: ACMEIssuerDNS01ProviderCloudDNS is a structure
3888 containing the DNS configuration for Google Cloud DNS
3889 properties:
3890 project:
3891 type: string
3892 serviceAccountSecretRef:
3893 properties:
3894 key:
3895 description: The key of the secret to select from.
3896 Must be a valid secret key.
3897 type: string
3898 name:
3899 description: 'Name of the referent. More info:
3900 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3901 TODO: Add other useful fields. apiVersion, kind,
3902 uid?'
3903 type: string
3904 required:
3905 - name
3906 type: object
3907 required:
3908 - project
3909 - serviceAccountSecretRef
3910 type: object
3911 cloudflare:
3912 description: ACMEIssuerDNS01ProviderCloudflare is a structure
3913 containing the DNS configuration for Cloudflare
3914 properties:
3915 apiKeySecretRef:
3916 properties:
3917 key:
3918 description: The key of the secret to select from.
3919 Must be a valid secret key.
3920 type: string
3921 name:
3922 description: 'Name of the referent. More info:
3923 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3924 TODO: Add other useful fields. apiVersion, kind,
3925 uid?'
3926 type: string
3927 required:
3928 - name
3929 type: object
3930 email:
3931 type: string
3932 required:
3933 - apiKeySecretRef
3934 - email
3935 type: object
3936 cnameStrategy:
3937 description: CNAMEStrategy configures how the DNS01 provider
3938 should handle CNAME records when found in DNS zones.
3939 enum:
3940 - None
3941 - Follow
3942 type: string
3943 digitalocean:
3944 description: ACMEIssuerDNS01ProviderDigitalOcean is a
3945 structure containing the DNS configuration for DigitalOcean
3946 Domains
3947 properties:
3948 tokenSecretRef:
3949 properties:
3950 key:
3951 description: The key of the secret to select from.
3952 Must be a valid secret key.
3953 type: string
3954 name:
3955 description: 'Name of the referent. More info:
3956 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3957 TODO: Add other useful fields. apiVersion, kind,
3958 uid?'
3959 type: string
3960 required:
3961 - name
3962 type: object
3963 required:
3964 - tokenSecretRef
3965 type: object
3966 rfc2136:
3967 description: ACMEIssuerDNS01ProviderRFC2136 is a structure
3968 containing the configuration for RFC2136 DNS
3969 properties:
3970 nameserver:
3971 description: 'The IP address of the DNS supporting
3972 RFC2136. Required. Note: FQDN is not a valid value,
3973 only IP.'
3974 type: string
3975 tsigAlgorithm:
3976 description: 'The TSIG Algorithm configured in the
3977 DNS supporting RFC2136. Used only when ``tsigSecretSecretRef``
3978 and ``tsigKeyName`` are defined. Supported values
3979 are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``,
3980 ``HMACSHA256`` or ``HMACSHA512``.'
3981 type: string
3982 tsigKeyName:
3983 description: The TSIG Key name configured in the DNS.
3984 If ``tsigSecretSecretRef`` is defined, this field
3985 is required.
3986 type: string
3987 tsigSecretSecretRef:
3988 description: The name of the secret containing the
3989 TSIG value. If ``tsigKeyName`` is defined, this
3990 field is required.
3991 properties:
3992 key:
3993 description: The key of the secret to select from.
3994 Must be a valid secret key.
3995 type: string
3996 name:
3997 description: 'Name of the referent. More info:
3998 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3999 TODO: Add other useful fields. apiVersion, kind,
4000 uid?'
4001 type: string
4002 required:
4003 - name
4004 type: object
4005 required:
4006 - nameserver
4007 type: object
4008 route53:
4009 description: ACMEIssuerDNS01ProviderRoute53 is a structure
4010 containing the Route 53 configuration for AWS
4011 properties:
4012 accessKeyID:
4013 description: 'The AccessKeyID is used for authentication.
4014 If not set we fall-back to using env vars, shared
4015 credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
4016 type: string
4017 hostedZoneID:
4018 description: If set, the provider will manage only
4019 this zone in Route53 and will not do an lookup using
4020 the route53:ListHostedZonesByName api call.
4021 type: string
4022 region:
4023 description: Always set the region when using AccessKeyID
4024 and SecretAccessKey
4025 type: string
4026 role:
4027 description: Role is a Role ARN which the Route53
4028 provider will assume using either the explicit credentials
4029 AccessKeyID/SecretAccessKey or the inferred credentials
4030 from environment variables, shared credentials file
4031 or AWS Instance metadata
4032 type: string
4033 secretAccessKeySecretRef:
4034 description: The SecretAccessKey is used for authentication.
4035 If not set we fall-back to using env vars, shared
4036 credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
4037 properties:
4038 key:
4039 description: The key of the secret to select from.
4040 Must be a valid secret key.
4041 type: string
4042 name:
4043 description: 'Name of the referent. More info:
4044 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
4045 TODO: Add other useful fields. apiVersion, kind,
4046 uid?'
4047 type: string
4048 required:
4049 - name
4050 type: object
4051 required:
4052 - region
4053 type: object
4054 webhook:
4055 description: ACMEIssuerDNS01ProviderWebhook specifies
4056 configuration for a webhook DNS01 provider, including
4057 where to POST ChallengePayload resources.
4058 properties:
4059 config:
4060 description: Additional configuration that should
4061 be passed to the webhook apiserver when challenges
4062 are processed. This can contain arbitrary JSON data.
4063 Secret values should not be specified in this stanza.
4064 If secret values are needed (e.g. credentials for
4065 a DNS service), you should use a SecretKeySelector
4066 to reference a Secret resource. For details on the
4067 schema of this field, consult the webhook provider
4068 implementation's documentation.
4069 x-kubernetes-preserve-unknown-fields: true
4070 groupName:
4071 description: The API group name that should be used
4072 when POSTing ChallengePayload resources to the webhook
4073 apiserver. This should be the same as the GroupName
4074 specified in the webhook provider implementation.
4075 type: string
4076 solverName:
4077 description: The name of the solver to use, as defined
4078 in the webhook provider implementation. This will
4079 typically be the name of the provider, e.g. 'cloudflare'.
4080 type: string
4081 required:
4082 - groupName
4083 - solverName
4084 type: object
4085 type: object
4086 http01:
4087 description: ACMEChallengeSolverHTTP01 contains configuration
4088 detailing how to solve HTTP01 challenges within a Kubernetes
4089 cluster. Typically this is accomplished through creating
4090 'routes' of some description that configure ingress controllers
4091 to direct traffic to 'solver pods', which are responsible
4092 for responding to the ACME server's HTTP requests.
4093 properties:
4094 ingress:
4095 description: The ingress based HTTP01 challenge solver
4096 will solve challenges by creating or modifying Ingress
4097 resources in order to route requests for '/.well-known/acme-challenge/XYZ'
4098 to 'challenge solver' pods that are provisioned by cert-manager
4099 for each Challenge to be completed.
4100 properties:
4101 class:
4102 description: The ingress class to use when creating
4103 Ingress resources to solve ACME challenges that
4104 use this challenge solver. Only one of 'class' or
4105 'name' may be specified.
4106 type: string
4107 name:
4108 description: The name of the ingress resource that
4109 should have ACME challenge solving routes inserted
4110 into it in order to solve HTTP01 challenges. This
4111 is typically used in conjunction with ingress controllers
4112 like ingress-gce, which maintains a 1:1 mapping
4113 between external IPs and ingress resources.
4114 type: string
4115 podTemplate:
4116 description: Optional pod template used to configure
4117 the ACME challenge solver pods used for HTTP01 challenges
4118 properties:
4119 metadata:
4120 description: ObjectMeta overrides for the pod
4121 used to solve HTTP01 challenges. Only the 'labels'
4122 and 'annotations' fields may be set. If labels
4123 or annotations overlap with in-built values,
4124 the values here will override the in-built values.
4125 type: object
4126 spec:
4127 description: PodSpec defines overrides for the
4128 HTTP01 challenge solver pod. Only the 'nodeSelector',
4129 'affinity' and 'tolerations' fields are supported
4130 currently. All other fields will be ignored.
4131 properties:
4132 affinity:
4133 description: If specified, the pod's scheduling
4134 constraints
4135 properties:
4136 nodeAffinity:
4137 description: Describes node affinity scheduling
4138 rules for the pod.
4139 properties:
4140 preferredDuringSchedulingIgnoredDuringExecution:
4141 description: The scheduler will prefer
4142 to schedule pods to nodes that satisfy
4143 the affinity expressions specified
4144 by this field, but it may choose
4145 a node that violates one or more
4146 of the expressions. The node that
4147 is most preferred is the one with
4148 the greatest sum of weights, i.e.
4149 for each node that meets all of
4150 the scheduling requirements (resource
4151 request, requiredDuringScheduling
4152 affinity expressions, etc.), compute
4153 a sum by iterating through the elements
4154 of this field and adding "weight"
4155 to the sum if the node matches the
4156 corresponding matchExpressions;
4157 the node(s) with the highest sum
4158 are the most preferred.
4159 items:
4160 description: An empty preferred
4161 scheduling term matches all objects
4162 with implicit weight 0 (i.e. it's
4163 a no-op). A null preferred scheduling
4164 term matches no objects (i.e.
4165 is also a no-op).
4166 properties:
4167 preference:
4168 description: A node selector
4169 term, associated with the
4170 corresponding weight.
4171 properties:
4172 matchExpressions:
4173 description: A list of node
4174 selector requirements
4175 by node's labels.
4176 items:
4177 description: A node selector
4178 requirement is a selector
4179 that contains values,
4180 a key, and an operator
4181 that relates the key
4182 and values.
4183 properties:
4184 key:
4185 description: The label
4186 key that the selector
4187 applies to.
4188 type: string
4189 operator:
4190 description: Represents
4191 a key's relationship
4192 to a set of values.
4193 Valid operators
4194 are In, NotIn, Exists,
4195 DoesNotExist. Gt,
4196 and Lt.
4197 type: string
4198 values:
4199 description: An array
4200 of string values.
4201 If the operator
4202 is In or NotIn,
4203 the values array
4204 must be non-empty.
4205 If the operator
4206 is Exists or DoesNotExist,
4207 the values array
4208 must be empty. If
4209 the operator is
4210 Gt or Lt, the values
4211 array must have
4212 a single element,
4213 which will be interpreted
4214 as an integer. This
4215 array is replaced
4216 during a strategic
4217 merge patch.
4218 items:
4219 type: string
4220 type: array
4221 required:
4222 - key
4223 - operator
4224 type: object
4225 type: array
4226 matchFields:
4227 description: A list of node
4228 selector requirements
4229 by node's fields.
4230 items:
4231 description: A node selector
4232 requirement is a selector
4233 that contains values,
4234 a key, and an operator
4235 that relates the key
4236 and values.
4237 properties:
4238 key:
4239 description: The label
4240 key that the selector
4241 applies to.
4242 type: string
4243 operator:
4244 description: Represents
4245 a key's relationship
4246 to a set of values.
4247 Valid operators
4248 are In, NotIn, Exists,
4249 DoesNotExist. Gt,
4250 and Lt.
4251 type: string
4252 values:
4253 description: An array
4254 of string values.
4255 If the operator
4256 is In or NotIn,
4257 the values array
4258 must be non-empty.
4259 If the operator
4260 is Exists or DoesNotExist,
4261 the values array
4262 must be empty. If
4263 the operator is
4264 Gt or Lt, the values
4265 array must have
4266 a single element,
4267 which will be interpreted
4268 as an integer. This
4269 array is replaced
4270 during a strategic
4271 merge patch.
4272 items:
4273 type: string
4274 type: array
4275 required:
4276 - key
4277 - operator
4278 type: object
4279 type: array
4280 type: object
4281 weight:
4282 description: Weight associated
4283 with matching the corresponding
4284 nodeSelectorTerm, in the range
4285 1-100.
4286 format: int32
4287 type: integer
4288 required:
4289 - preference
4290 - weight
4291 type: object
4292 type: array
4293 requiredDuringSchedulingIgnoredDuringExecution:
4294 description: If the affinity requirements
4295 specified by this field are not
4296 met at scheduling time, the pod
4297 will not be scheduled onto the node.
4298 If the affinity requirements specified
4299 by this field cease to be met at
4300 some point during pod execution
4301 (e.g. due to an update), the system
4302 may or may not try to eventually
4303 evict the pod from its node.
4304 properties:
4305 nodeSelectorTerms:
4306 description: Required. A list
4307 of node selector terms. The
4308 terms are ORed.
4309 items:
4310 description: A null or empty
4311 node selector term matches
4312 no objects. The requirements
4313 of them are ANDed. The TopologySelectorTerm
4314 type implements a subset of
4315 the NodeSelectorTerm.
4316 properties:
4317 matchExpressions:
4318 description: A list of node
4319 selector requirements
4320 by node's labels.
4321 items:
4322 description: A node selector
4323 requirement is a selector
4324 that contains values,
4325 a key, and an operator
4326 that relates the key
4327 and values.
4328 properties:
4329 key:
4330 description: The label
4331 key that the selector
4332 applies to.
4333 type: string
4334 operator:
4335 description: Represents
4336 a key's relationship
4337 to a set of values.
4338 Valid operators
4339 are In, NotIn, Exists,
4340 DoesNotExist. Gt,
4341 and Lt.
4342 type: string
4343 values:
4344 description: An array
4345 of string values.
4346 If the operator
4347 is In or NotIn,
4348 the values array
4349 must be non-empty.
4350 If the operator
4351 is Exists or DoesNotExist,
4352 the values array
4353 must be empty. If
4354 the operator is
4355 Gt or Lt, the values
4356 array must have
4357 a single element,
4358 which will be interpreted
4359 as an integer. This
4360 array is replaced
4361 during a strategic
4362 merge patch.
4363 items:
4364 type: string
4365 type: array
4366 required:
4367 - key
4368 - operator
4369 type: object
4370 type: array
4371 matchFields:
4372 description: A list of node
4373 selector requirements
4374 by node's fields.
4375 items:
4376 description: A node selector
4377 requirement is a selector
4378 that contains values,
4379 a key, and an operator
4380 that relates the key
4381 and values.
4382 properties:
4383 key:
4384 description: The label
4385 key that the selector
4386 applies to.
4387 type: string
4388 operator:
4389 description: Represents
4390 a key's relationship
4391 to a set of values.
4392 Valid operators
4393 are In, NotIn, Exists,
4394 DoesNotExist. Gt,
4395 and Lt.
4396 type: string
4397 values:
4398 description: An array
4399 of string values.
4400 If the operator
4401 is In or NotIn,
4402 the values array
4403 must be non-empty.
4404 If the operator
4405 is Exists or DoesNotExist,
4406 the values array
4407 must be empty. If
4408 the operator is
4409 Gt or Lt, the values
4410 array must have
4411 a single element,
4412 which will be interpreted
4413 as an integer. This
4414 array is replaced
4415 during a strategic
4416 merge patch.
4417 items:
4418 type: string
4419 type: array
4420 required:
4421 - key
4422 - operator
4423 type: object
4424 type: array
4425 type: object
4426 type: array
4427 required:
4428 - nodeSelectorTerms
4429 type: object
4430 type: object
4431 podAffinity:
4432 description: Describes pod affinity scheduling
4433 rules (e.g. co-locate this pod in the
4434 same node, zone, etc. as some other
4435 pod(s)).
4436 properties:
4437 preferredDuringSchedulingIgnoredDuringExecution:
4438 description: The scheduler will prefer
4439 to schedule pods to nodes that satisfy
4440 the affinity expressions specified
4441 by this field, but it may choose
4442 a node that violates one or more
4443 of the expressions. The node that
4444 is most preferred is the one with
4445 the greatest sum of weights, i.e.
4446 for each node that meets all of
4447 the scheduling requirements (resource
4448 request, requiredDuringScheduling
4449 affinity expressions, etc.), compute
4450 a sum by iterating through the elements
4451 of this field and adding "weight"
4452 to the sum if the node has pods
4453 which matches the corresponding
4454 podAffinityTerm; the node(s) with
4455 the highest sum are the most preferred.
4456 items:
4457 description: The weights of all
4458 of the matched WeightedPodAffinityTerm
4459 fields are added per-node to find
4460 the most preferred node(s)
4461 properties:
4462 podAffinityTerm:
4463 description: Required. A pod
4464 affinity term, associated
4465 with the corresponding weight.
4466 properties:
4467 labelSelector:
4468 description: A label query
4469 over a set of resources,
4470 in this case pods.
4471 properties:
4472 matchExpressions:
4473 description: matchExpressions
4474 is a list of label
4475 selector requirements.
4476 The requirements are
4477 ANDed.
4478 items:
4479 description: A label
4480 selector requirement
4481 is a selector that
4482 contains values,
4483 a key, and an operator
4484 that relates the
4485 key and values.
4486 properties:
4487 key:
4488 description: key
4489 is the label
4490 key that the
4491 selector applies
4492 to.
4493 type: string
4494 operator:
4495 description: operator
4496 represents a
4497 key's relationship
4498 to a set of
4499 values. Valid
4500 operators are
4501 In, NotIn, Exists
4502 and DoesNotExist.
4503 type: string
4504 values:
4505 description: values
4506 is an array
4507 of string values.
4508 If the operator
4509 is In or NotIn,
4510 the values array
4511 must be non-empty.
4512 If the operator
4513 is Exists or
4514 DoesNotExist,
4515 the values array
4516 must be empty.
4517 This array is
4518 replaced during
4519 a strategic
4520 merge patch.
4521 items:
4522 type: string
4523 type: array
4524 required:
4525 - key
4526 - operator
4527 type: object
4528 type: array
4529 matchLabels:
4530 additionalProperties:
4531 type: string
4532 description: matchLabels
4533 is a map of {key,value}
4534 pairs. A single {key,value}
4535 in the matchLabels
4536 map is equivalent
4537 to an element of matchExpressions,
4538 whose key field is
4539 "key", the operator
4540 is "In", and the values
4541 array contains only
4542 "value". The requirements
4543 are ANDed.
4544 type: object
4545 type: object
4546 namespaces:
4547 description: namespaces
4548 specifies which namespaces
4549 the labelSelector applies
4550 to (matches against);
4551 null or empty list means
4552 "this pod's namespace"
4553 items:
4554 type: string
4555 type: array
4556 topologyKey:
4557 description: This pod should
4558 be co-located (affinity)
4559 or not co-located (anti-affinity)
4560 with the pods matching
4561 the labelSelector in the
4562 specified namespaces,
4563 where co-located is defined
4564 as running on a node whose
4565 value of the label with
4566 key topologyKey matches
4567 that of any node on which
4568 any of the selected pods
4569 is running. Empty topologyKey
4570 is not allowed.
4571 type: string
4572 required:
4573 - topologyKey
4574 type: object
4575 weight:
4576 description: weight associated
4577 with matching the corresponding
4578 podAffinityTerm, in the range
4579 1-100.
4580 format: int32
4581 type: integer
4582 required:
4583 - podAffinityTerm
4584 - weight
4585 type: object
4586 type: array
4587 requiredDuringSchedulingIgnoredDuringExecution:
4588 description: If the affinity requirements
4589 specified by this field are not
4590 met at scheduling time, the pod
4591 will not be scheduled onto the node.
4592 If the affinity requirements specified
4593 by this field cease to be met at
4594 some point during pod execution
4595 (e.g. due to a pod label update),
4596 the system may or may not try to
4597 eventually evict the pod from its
4598 node. When there are multiple elements,
4599 the lists of nodes corresponding
4600 to each podAffinityTerm are intersected,
4601 i.e. all terms must be satisfied.
4602 items:
4603 description: Defines a set of pods
4604 (namely those matching the labelSelector
4605 relative to the given namespace(s))
4606 that this pod should be co-located
4607 (affinity) or not co-located (anti-affinity)
4608 with, where co-located is defined
4609 as running on a node whose value
4610 of the label with key <topologyKey>
4611 matches that of any node on which
4612 a pod of the set of pods is running
4613 properties:
4614 labelSelector:
4615 description: A label query over
4616 a set of resources, in this
4617 case pods.
4618 properties:
4619 matchExpressions:
4620 description: matchExpressions
4621 is a list of label selector
4622 requirements. The requirements
4623 are ANDed.
4624 items:
4625 description: A label selector
4626 requirement is a selector
4627 that contains values,
4628 a key, and an operator
4629 that relates the key
4630 and values.
4631 properties:
4632 key:
4633 description: key is
4634 the label key that
4635 the selector applies
4636 to.
4637 type: string
4638 operator:
4639 description: operator
4640 represents a key's
4641 relationship to
4642 a set of values.
4643 Valid operators
4644 are In, NotIn, Exists
4645 and DoesNotExist.
4646 type: string
4647 values:
4648 description: values
4649 is an array of string
4650 values. If the operator
4651 is In or NotIn,
4652 the values array
4653 must be non-empty.
4654 If the operator
4655 is Exists or DoesNotExist,
4656 the values array
4657 must be empty. This
4658 array is replaced
4659 during a strategic
4660 merge patch.
4661 items:
4662 type: string
4663 type: array
4664 required:
4665 - key
4666 - operator
4667 type: object
4668 type: array
4669 matchLabels:
4670 additionalProperties:
4671 type: string
4672 description: matchLabels
4673 is a map of {key,value}
4674 pairs. A single {key,value}
4675 in the matchLabels map
4676 is equivalent to an element
4677 of matchExpressions, whose
4678 key field is "key", the
4679 operator is "In", and
4680 the values array contains
4681 only "value". The requirements
4682 are ANDed.
4683 type: object
4684 type: object
4685 namespaces:
4686 description: namespaces specifies
4687 which namespaces the labelSelector
4688 applies to (matches against);
4689 null or empty list means "this
4690 pod's namespace"
4691 items:
4692 type: string
4693 type: array
4694 topologyKey:
4695 description: This pod should
4696 be co-located (affinity) or
4697 not co-located (anti-affinity)
4698 with the pods matching the
4699 labelSelector in the specified
4700 namespaces, where co-located
4701 is defined as running on a
4702 node whose value of the label
4703 with key topologyKey matches
4704 that of any node on which
4705 any of the selected pods is
4706 running. Empty topologyKey
4707 is not allowed.
4708 type: string
4709 required:
4710 - topologyKey
4711 type: object
4712 type: array
4713 type: object
4714 podAntiAffinity:
4715 description: Describes pod anti-affinity
4716 scheduling rules (e.g. avoid putting
4717 this pod in the same node, zone, etc.
4718 as some other pod(s)).
4719 properties:
4720 preferredDuringSchedulingIgnoredDuringExecution:
4721 description: The scheduler will prefer
4722 to schedule pods to nodes that satisfy
4723 the anti-affinity expressions specified
4724 by this field, but it may choose
4725 a node that violates one or more
4726 of the expressions. The node that
4727 is most preferred is the one with
4728 the greatest sum of weights, i.e.
4729 for each node that meets all of
4730 the scheduling requirements (resource
4731 request, requiredDuringScheduling
4732 anti-affinity expressions, etc.),
4733 compute a sum by iterating through
4734 the elements of this field and adding
4735 "weight" to the sum if the node
4736 has pods which matches the corresponding
4737 podAffinityTerm; the node(s) with
4738 the highest sum are the most preferred.
4739 items:
4740 description: The weights of all
4741 of the matched WeightedPodAffinityTerm
4742 fields are added per-node to find
4743 the most preferred node(s)
4744 properties:
4745 podAffinityTerm:
4746 description: Required. A pod
4747 affinity term, associated
4748 with the corresponding weight.
4749 properties:
4750 labelSelector:
4751 description: A label query
4752 over a set of resources,
4753 in this case pods.
4754 properties:
4755 matchExpressions:
4756 description: matchExpressions
4757 is a list of label
4758 selector requirements.
4759 The requirements are
4760 ANDed.
4761 items:
4762 description: A label
4763 selector requirement
4764 is a selector that
4765 contains values,
4766 a key, and an operator
4767 that relates the
4768 key and values.
4769 properties:
4770 key:
4771 description: key
4772 is the label
4773 key that the
4774 selector applies
4775 to.
4776 type: string
4777 operator:
4778 description: operator
4779 represents a
4780 key's relationship
4781 to a set of
4782 values. Valid
4783 operators are
4784 In, NotIn, Exists
4785 and DoesNotExist.
4786 type: string
4787 values:
4788 description: values
4789 is an array
4790 of string values.
4791 If the operator
4792 is In or NotIn,
4793 the values array
4794 must be non-empty.
4795 If the operator
4796 is Exists or
4797 DoesNotExist,
4798 the values array
4799 must be empty.
4800 This array is
4801 replaced during
4802 a strategic
4803 merge patch.
4804 items:
4805 type: string
4806 type: array
4807 required:
4808 - key
4809 - operator
4810 type: object
4811 type: array
4812 matchLabels:
4813 additionalProperties:
4814 type: string
4815 description: matchLabels
4816 is a map of {key,value}
4817 pairs. A single {key,value}
4818 in the matchLabels
4819 map is equivalent
4820 to an element of matchExpressions,
4821 whose key field is
4822 "key", the operator
4823 is "In", and the values
4824 array contains only
4825 "value". The requirements
4826 are ANDed.
4827 type: object
4828 type: object
4829 namespaces:
4830 description: namespaces
4831 specifies which namespaces
4832 the labelSelector applies
4833 to (matches against);
4834 null or empty list means
4835 "this pod's namespace"
4836 items:
4837 type: string
4838 type: array
4839 topologyKey:
4840 description: This pod should
4841 be co-located (affinity)
4842 or not co-located (anti-affinity)
4843 with the pods matching
4844 the labelSelector in the
4845 specified namespaces,
4846 where co-located is defined
4847 as running on a node whose
4848 value of the label with
4849 key topologyKey matches
4850 that of any node on which
4851 any of the selected pods
4852 is running. Empty topologyKey
4853 is not allowed.
4854 type: string
4855 required:
4856 - topologyKey
4857 type: object
4858 weight:
4859 description: weight associated
4860 with matching the corresponding
4861 podAffinityTerm, in the range
4862 1-100.
4863 format: int32
4864 type: integer
4865 required:
4866 - podAffinityTerm
4867 - weight
4868 type: object
4869 type: array
4870 requiredDuringSchedulingIgnoredDuringExecution:
4871 description: If the anti-affinity
4872 requirements specified by this field
4873 are not met at scheduling time,
4874 the pod will not be scheduled onto
4875 the node. If the anti-affinity requirements
4876 specified by this field cease to
4877 be met at some point during pod
4878 execution (e.g. due to a pod label
4879 update), the system may or may not
4880 try to eventually evict the pod
4881 from its node. When there are multiple
4882 elements, the lists of nodes corresponding
4883 to each podAffinityTerm are intersected,
4884 i.e. all terms must be satisfied.
4885 items:
4886 description: Defines a set of pods
4887 (namely those matching the labelSelector
4888 relative to the given namespace(s))
4889 that this pod should be co-located
4890 (affinity) or not co-located (anti-affinity)
4891 with, where co-located is defined
4892 as running on a node whose value
4893 of the label with key <topologyKey>
4894 matches that of any node on which
4895 a pod of the set of pods is running
4896 properties:
4897 labelSelector:
4898 description: A label query over
4899 a set of resources, in this
4900 case pods.
4901 properties:
4902 matchExpressions:
4903 description: matchExpressions
4904 is a list of label selector
4905 requirements. The requirements
4906 are ANDed.
4907 items:
4908 description: A label selector
4909 requirement is a selector
4910 that contains values,
4911 a key, and an operator
4912 that relates the key
4913 and values.
4914 properties:
4915 key:
4916 description: key is
4917 the label key that
4918 the selector applies
4919 to.
4920 type: string
4921 operator:
4922 description: operator
4923 represents a key's
4924 relationship to
4925 a set of values.
4926 Valid operators
4927 are In, NotIn, Exists
4928 and DoesNotExist.
4929 type: string
4930 values:
4931 description: values
4932 is an array of string
4933 values. If the operator
4934 is In or NotIn,
4935 the values array
4936 must be non-empty.
4937 If the operator
4938 is Exists or DoesNotExist,
4939 the values array
4940 must be empty. This
4941 array is replaced
4942 during a strategic
4943 merge patch.
4944 items:
4945 type: string
4946 type: array
4947 required:
4948 - key
4949 - operator
4950 type: object
4951 type: array
4952 matchLabels:
4953 additionalProperties:
4954 type: string
4955 description: matchLabels
4956 is a map of {key,value}
4957 pairs. A single {key,value}
4958 in the matchLabels map
4959 is equivalent to an element
4960 of matchExpressions, whose
4961 key field is "key", the
4962 operator is "In", and
4963 the values array contains
4964 only "value". The requirements
4965 are ANDed.
4966 type: object
4967 type: object
4968 namespaces:
4969 description: namespaces specifies
4970 which namespaces the labelSelector
4971 applies to (matches against);
4972 null or empty list means "this
4973 pod's namespace"
4974 items:
4975 type: string
4976 type: array
4977 topologyKey:
4978 description: This pod should
4979 be co-located (affinity) or
4980 not co-located (anti-affinity)
4981 with the pods matching the
4982 labelSelector in the specified
4983 namespaces, where co-located
4984 is defined as running on a
4985 node whose value of the label
4986 with key topologyKey matches
4987 that of any node on which
4988 any of the selected pods is
4989 running. Empty topologyKey
4990 is not allowed.
4991 type: string
4992 required:
4993 - topologyKey
4994 type: object
4995 type: array
4996 type: object
4997 type: object
4998 nodeSelector:
4999 additionalProperties:
5000 type: string
5001 description: 'NodeSelector is a selector which
5002 must be true for the pod to fit on a node.
5003 Selector which must match a node''s labels
5004 for the pod to be scheduled on that node.
5005 More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
5006 type: object
5007 tolerations:
5008 description: If specified, the pod's tolerations.
5009 items:
5010 description: The pod this Toleration is
5011 attached to tolerates any taint that matches
5012 the triple <key,value,effect> using the
5013 matching operator <operator>.
5014 properties:
5015 effect:
5016 description: Effect indicates the taint
5017 effect to match. Empty means match
5018 all taint effects. When specified,
5019 allowed values are NoSchedule, PreferNoSchedule
5020 and NoExecute.
5021 type: string
5022 key:
5023 description: Key is the taint key that
5024 the toleration applies to. Empty means
5025 match all taint keys. If the key is
5026 empty, operator must be Exists; this
5027 combination means to match all values
5028 and all keys.
5029 type: string
5030 operator:
5031 description: Operator represents a key's
5032 relationship to the value. Valid operators
5033 are Exists and Equal. Defaults to
5034 Equal. Exists is equivalent to wildcard
5035 for value, so that a pod can tolerate
5036 all taints of a particular category.
5037 type: string
5038 tolerationSeconds:
5039 description: TolerationSeconds represents
5040 the period of time the toleration
5041 (which must be of effect NoExecute,
5042 otherwise this field is ignored) tolerates
5043 the taint. By default, it is not set,
5044 which means tolerate the taint forever
5045 (do not evict). Zero and negative
5046 values will be treated as 0 (evict
5047 immediately) by the system.
5048 format: int64
5049 type: integer
5050 value:
5051 description: Value is the taint value
5052 the toleration matches to. If the
5053 operator is Exists, the value should
5054 be empty, otherwise just a regular
5055 string.
5056 type: string
5057 type: object
5058 type: array
5059 type: object
5060 type: object
5061 serviceType:
5062 description: Optional service type for Kubernetes
5063 solver service
5064 type: string
5065 type: object
5066 type: object
5067 selector:
5068 description: Selector selects a set of DNSNames on the Certificate
5069 resource that should be solved using this challenge solver.
5070 properties:
5071 dnsNames:
5072 description: List of DNSNames that this solver will be
5073 used to solve. If specified and a match is found, a
5074 dnsNames selector will take precedence over a dnsZones
5075 selector. If multiple solvers match with the same dnsNames
5076 value, the solver with the most matching labels in matchLabels
5077 will be selected. If neither has more matches, the solver
5078 defined earlier in the list will be selected.
5079 items:
5080 type: string
5081 type: array
5082 dnsZones:
5083 description: List of DNSZones that this solver will be
5084 used to solve. The most specific DNS zone match specified
5085 here will take precedence over other DNS zone matches,
5086 so a solver specifying sys.example.com will be selected
5087 over one specifying example.com for the domain www.sys.example.com.
5088 If multiple solvers match with the same dnsZones value,
5089 the solver with the most matching labels in matchLabels
5090 will be selected. If neither has more matches, the solver
5091 defined earlier in the list will be selected.
5092 items:
5093 type: string
5094 type: array
5095 matchLabels:
5096 additionalProperties:
5097 type: string
5098 description: A label selector that is used to refine the
5099 set of certificate's that this challenge solver will
5100 apply to.
5101 type: object
5102 type: object
5103 type: object
5104 type: array
5105 required:
5106 - privateKeySecretRef
5107 - server
5108 type: object
5109 ca:
5110 properties:
5111 secretName:
5112 description: SecretName is the name of the secret used to sign Certificates
5113 issued by this Issuer.
5114 type: string
5115 required:
5116 - secretName
5117 type: object
5118 selfSigned:
5119 type: object
5120 vault:
5121 properties:
5122 auth:
5123 description: Vault authentication
5124 properties:
5125 appRole:
5126 description: This Secret contains a AppRole and Secret
5127 properties:
5128 path:
5129 description: Where the authentication path is mounted in
5130 Vault.
5131 type: string
5132 roleId:
5133 type: string
5134 secretRef:
5135 properties:
5136 key:
5137 description: The key of the secret to select from. Must
5138 be a valid secret key.
5139 type: string
5140 name:
5141 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
5142 TODO: Add other useful fields. apiVersion, kind, uid?'
5143 type: string
5144 required:
5145 - name
5146 type: object
5147 required:
5148 - path
5149 - roleId
5150 - secretRef
5151 type: object
5152 kubernetes:
5153 description: This contains a Role and Secret with a ServiceAccount
5154 token to authenticate with vault.
5155 properties:
5156 mountPath:
5157 description: The value here will be used as part of the
5158 path used when authenticating with vault, for example
5159 if you set a value of "foo", the path used will be `/v1/auth/foo/login`.
5160 If unspecified, the default value "kubernetes" will be
5161 used.
5162 type: string
5163 role:
5164 description: A required field containing the Vault Role
5165 to assume. A Role binds a Kubernetes ServiceAccount with
5166 a set of Vault policies.
5167 type: string
5168 secretRef:
5169 description: The required Secret field containing a Kubernetes
5170 ServiceAccount JWT used for authenticating with Vault.
5171 Use of 'ambient credentials' is not supported.
5172 properties:
5173 key:
5174 description: The key of the secret to select from. Must
5175 be a valid secret key.
5176 type: string
5177 name:
5178 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
5179 TODO: Add other useful fields. apiVersion, kind, uid?'
5180 type: string
5181 required:
5182 - name
5183 type: object
5184 required:
5185 - role
5186 - secretRef
5187 type: object
5188 tokenSecretRef:
5189 description: This Secret contains the Vault token key
5190 properties:
5191 key:
5192 description: The key of the secret to select from. Must
5193 be a valid secret key.
5194 type: string
5195 name:
5196 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
5197 TODO: Add other useful fields. apiVersion, kind, uid?'
5198 type: string
5199 required:
5200 - name
5201 type: object
5202 type: object
5203 caBundle:
5204 description: Base64 encoded CA bundle to validate Vault server certificate.
5205 Only used if the Server URL is using HTTPS protocol. This parameter
5206 is ignored for plain HTTP protocol connection. If not set the
5207 system root certificates are used to validate the TLS connection.
5208 format: byte
5209 type: string
5210 path:
5211 description: Vault URL path to the certificate role
5212 type: string
5213 server:
5214 description: Server is the vault connection address
5215 type: string
5216 required:
5217 - auth
5218 - path
5219 - server
5220 type: object
5221 venafi:
5222 description: VenafiIssuer describes issuer configuration details for
5223 Venafi Cloud.
5224 properties:
5225 cloud:
5226 description: Cloud specifies the Venafi cloud configuration settings.
5227 Only one of TPP or Cloud may be specified.
5228 properties:
5229 apiTokenSecretRef:
5230 description: APITokenSecretRef is a secret key selector for
5231 the Venafi Cloud API token.
5232 properties:
5233 key:
5234 description: The key of the secret to select from. Must
5235 be a valid secret key.
5236 type: string
5237 name:
5238 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
5239 TODO: Add other useful fields. apiVersion, kind, uid?'
5240 type: string
5241 required:
5242 - name
5243 type: object
5244 url:
5245 description: URL is the base URL for Venafi Cloud
5246 type: string
5247 required:
5248 - apiTokenSecretRef
5249 - url
5250 type: object
5251 tpp:
5252 description: TPP specifies Trust Protection Platform configuration
5253 settings. Only one of TPP or Cloud may be specified.
5254 properties:
5255 caBundle:
5256 description: CABundle is a PEM encoded TLS certifiate to use
5257 to verify connections to the TPP instance. If specified, system
5258 roots will not be used and the issuing CA for the TPP instance
5259 must be verifiable using the provided root. If not specified,
5260 the connection will be verified using the cert-manager system
5261 root certificates.
5262 format: byte
5263 type: string
5264 credentialsRef:
5265 description: CredentialsRef is a reference to a Secret containing
5266 the username and password for the TPP server. The secret must
5267 contain two keys, 'username' and 'password'.
5268 properties:
5269 name:
5270 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
5271 TODO: Add other useful fields. apiVersion, kind, uid?'
5272 type: string
5273 required:
5274 - name
5275 type: object
5276 url:
5277 description: URL is the base URL for the Venafi TPP instance
5278 type: string
5279 required:
5280 - credentialsRef
5281 - url
5282 type: object
5283 zone:
5284 description: Zone is the Venafi Policy Zone to use for this issuer.
5285 All requests made to the Venafi platform will be restricted by
5286 the named zone policy. This field is required.
5287 type: string
5288 required:
5289 - zone
5290 type: object
5291 type: object
5292 status:
5293 description: IssuerStatus contains status information about an Issuer
5294 properties:
5295 acme:
5296 properties:
5297 lastRegisteredEmail:
5298 description: LastRegisteredEmail is the email associated with the
5299 latest registered ACME account, in order to track changes made
5300 to registered account associated with the Issuer
5301 type: string
5302 uri:
5303 description: URI is the unique account identifier, which can also
5304 be used to retrieve account details from the CA
5305 type: string
5306 type: object
5307 conditions:
5308 items:
5309 description: IssuerCondition contains condition information for an
5310 Issuer.
5311 properties:
5312 lastTransitionTime:
5313 description: LastTransitionTime is the timestamp corresponding
5314 to the last status change of this condition.
5315 format: date-time
5316 type: string
5317 message:
5318 description: Message is a human readable description of the details
5319 of the last transition, complementing reason.
5320 type: string
5321 reason:
5322 description: Reason is a brief machine readable explanation for
5323 the condition's last transition.
5324 type: string
5325 status:
5326 description: Status of the condition, one of ('True', 'False',
5327 'Unknown').
5328 enum:
5329 - "True"
5330 - "False"
5331 - Unknown
5332 type: string
5333 type:
5334 description: Type of the condition, currently ('Ready').
5335 type: string
5336 required:
5337 - status
5338 - type
5339 type: object
5340 type: array
5341 type: object
5342 type: object
5343 version: v1alpha2
5344 versions:
5345 - name: v1alpha2
5346 served: true
5347 storage: true
5348status:
5349 acceptedNames:
5350 kind: ""
5351 plural: ""
5352 conditions: []
5353 storedVersions: []
5354---
5355apiVersion: v1
5356kind: Namespace
5357metadata:
5358 name: cert-manager
5359
5360---
5361---
5362# Source: cert-manager/charts/cainjector/templates/serviceaccount.yaml
5363apiVersion: v1
5364kind: ServiceAccount
5365metadata:
5366 name: cert-manager-cainjector
5367 namespace: "cert-manager"
5368 labels:
5369 app: cainjector
5370 app.kubernetes.io/name: cainjector
5371 app.kubernetes.io/instance: cert-manager
5372 app.kubernetes.io/managed-by: Tiller
5373 helm.sh/chart: cainjector-v0.11.0
5374
5375---
5376# Source: cert-manager/templates/serviceaccount.yaml
5377apiVersion: v1
5378kind: ServiceAccount
5379metadata:
5380 name: cert-manager
5381 namespace: "cert-manager"
5382 annotations:
5383 labels:
5384 app: cert-manager
5385 app.kubernetes.io/name: cert-manager
5386 app.kubernetes.io/instance: cert-manager
5387 app.kubernetes.io/managed-by: Tiller
5388 helm.sh/chart: cert-manager-v0.11.0
5389
5390---
5391# Source: cert-manager/templates/webhook-serviceaccount.yaml
5392apiVersion: v1
5393kind: ServiceAccount
5394metadata:
5395 name: cert-manager-webhook
5396 namespace: "cert-manager"
5397 labels:
5398 app: webhook
5399 app.kubernetes.io/name: webhook
5400 app.kubernetes.io/instance: cert-manager
5401 app.kubernetes.io/managed-by: Tiller
5402 helm.sh/chart: cert-manager-v0.11.0
5403---
5404# Source: cert-manager/charts/cainjector/templates/rbac.yaml
5405apiVersion: rbac.authorization.k8s.io/v1beta1
5406kind: ClusterRole
5407metadata:
5408 name: cert-manager-cainjector
5409 labels:
5410 app: cainjector
5411 app.kubernetes.io/name: cainjector
5412 app.kubernetes.io/instance: cert-manager
5413 app.kubernetes.io/managed-by: Tiller
5414 helm.sh/chart: cainjector-v0.11.0
5415rules:
5416 - apiGroups: ["cert-manager.io"]
5417 resources: ["certificates"]
5418 verbs: ["get", "list", "watch"]
5419 - apiGroups: [""]
5420 resources: ["secrets"]
5421 verbs: ["get", "list", "watch"]
5422 - apiGroups: [""]
5423 resources: ["events"]
5424 verbs: ["get", "create", "update", "patch"]
5425 - apiGroups: ["admissionregistration.k8s.io"]
5426 resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
5427 verbs: ["get", "list", "watch", "update"]
5428 - apiGroups: ["apiregistration.k8s.io"]
5429 resources: ["apiservices"]
5430 verbs: ["get", "list", "watch", "update"]
5431 - apiGroups: ["apiextensions.k8s.io"]
5432 resources: ["customresourcedefinitions"]
5433 verbs: ["get", "list", "watch", "update"]
5434---
5435apiVersion: rbac.authorization.k8s.io/v1beta1
5436kind: ClusterRoleBinding
5437metadata:
5438 name: cert-manager-cainjector
5439 labels:
5440 app: cainjector
5441 app.kubernetes.io/name: cainjector
5442 app.kubernetes.io/instance: cert-manager
5443 app.kubernetes.io/managed-by: Tiller
5444 helm.sh/chart: cainjector-v0.11.0
5445roleRef:
5446 apiGroup: rbac.authorization.k8s.io
5447 kind: ClusterRole
5448 name: cert-manager-cainjector
5449subjects:
5450 - name: cert-manager-cainjector
5451 namespace: "cert-manager"
5452 kind: ServiceAccount
5453
5454---
5455# leader election rules
5456apiVersion: rbac.authorization.k8s.io/v1beta1
5457kind: Role
5458metadata:
5459 name: cert-manager-cainjector:leaderelection
5460 namespace: kube-system
5461 labels:
5462 app: cainjector
5463 app.kubernetes.io/name: cainjector
5464 app.kubernetes.io/instance: cert-manager
5465 app.kubernetes.io/managed-by: Tiller
5466 helm.sh/chart: cainjector-v0.11.0
5467rules:
5468 # Used for leader election by the controller
5469 # TODO: refine the permission to *just* the leader election configmap
5470 - apiGroups: [""]
5471 resources: ["configmaps"]
5472 verbs: ["get", "create", "update", "patch"]
5473
5474---
5475
5476# grant cert-manager permission to manage the leaderelection configmap in the
5477# leader election namespace
5478apiVersion: rbac.authorization.k8s.io/v1beta1
5479kind: RoleBinding
5480metadata:
5481 name: cert-manager-cainjector:leaderelection
5482 namespace: kube-system
5483 labels:
5484 app: cainjector
5485 app.kubernetes.io/name: cainjector
5486 app.kubernetes.io/instance: cert-manager
5487 app.kubernetes.io/managed-by: Tiller
5488 helm.sh/chart: cainjector-v0.11.0
5489roleRef:
5490 apiGroup: rbac.authorization.k8s.io
5491 kind: Role
5492 name: cert-manager-cainjector:leaderelection
5493subjects:
5494 - apiGroup: ""
5495 kind: ServiceAccount
5496 name: cert-manager-cainjector
5497 namespace: cert-manager
5498---
5499# Source: cert-manager/templates/webhook-rbac.yaml
5500### Webhook ###
5501---
5502# apiserver gets the auth-delegator role to delegate auth decisions to
5503# the core apiserver
5504apiVersion: rbac.authorization.k8s.io/v1beta1
5505kind: ClusterRoleBinding
5506metadata:
5507 name: cert-manager-webhook:auth-delegator
5508 labels:
5509 app: webhook
5510 app.kubernetes.io/name: webhook
5511 app.kubernetes.io/instance: cert-manager
5512 app.kubernetes.io/managed-by: Tiller
5513 helm.sh/chart: cert-manager-v0.11.0
5514roleRef:
5515 apiGroup: rbac.authorization.k8s.io
5516 kind: ClusterRole
5517 name: system:auth-delegator
5518subjects:
5519- apiGroup: ""
5520 kind: ServiceAccount
5521 name: cert-manager-webhook
5522 namespace: cert-manager
5523
5524---
5525
5526# apiserver gets the ability to read authentication. This allows it to
5527# read the specific configmap that has the requestheader-* entries to
5528# api agg
5529apiVersion: rbac.authorization.k8s.io/v1beta1
5530kind: RoleBinding
5531metadata:
5532 name: cert-manager-webhook:webhook-authentication-reader
5533 namespace: kube-system
5534 labels:
5535 app: webhook
5536 app.kubernetes.io/name: webhook
5537 app.kubernetes.io/instance: cert-manager
5538 app.kubernetes.io/managed-by: Tiller
5539 helm.sh/chart: cert-manager-v0.11.0
5540roleRef:
5541 apiGroup: rbac.authorization.k8s.io
5542 kind: Role
5543 name: extension-apiserver-authentication-reader
5544subjects:
5545- apiGroup: ""
5546 kind: ServiceAccount
5547 name: cert-manager-webhook
5548 namespace: cert-manager
5549
5550---
5551
5552apiVersion: rbac.authorization.k8s.io/v1
5553kind: ClusterRole
5554metadata:
5555 name: cert-manager-webhook:webhook-requester
5556 labels:
5557 app: webhook
5558 app.kubernetes.io/name: webhook
5559 app.kubernetes.io/instance: cert-manager
5560 app.kubernetes.io/managed-by: Tiller
5561 helm.sh/chart: cert-manager-v0.11.0
5562rules:
5563- apiGroups:
5564 - admission.cert-manager.io
5565 resources:
5566 - certificates
5567 - certificaterequests
5568 - issuers
5569 - clusterissuers
5570 verbs:
5571 - create
5572---
5573# Source: cert-manager/templates/rbac.yaml
5574apiVersion: rbac.authorization.k8s.io/v1beta1
5575kind: Role
5576metadata:
5577 name: cert-manager:leaderelection
5578 namespace: kube-system
5579 labels:
5580 app: cert-manager
5581 app.kubernetes.io/name: cert-manager
5582 app.kubernetes.io/instance: cert-manager
5583 app.kubernetes.io/managed-by: Tiller
5584 helm.sh/chart: cert-manager-v0.11.0
5585rules:
5586 # Used for leader election by the controller
5587 # TODO: refine the permission to *just* the leader election configmap
5588 - apiGroups: [""]
5589 resources: ["configmaps"]
5590 verbs: ["get", "create", "update", "patch"]
5591
5592---
5593
5594# grant cert-manager permission to manage the leaderelection configmap in the
5595# leader election namespace
5596apiVersion: rbac.authorization.k8s.io/v1beta1
5597kind: RoleBinding
5598metadata:
5599 name: cert-manager:leaderelection
5600 namespace: kube-system
5601 labels:
5602 app: cert-manager
5603 app.kubernetes.io/name: cert-manager
5604 app.kubernetes.io/instance: cert-manager
5605 app.kubernetes.io/managed-by: Tiller
5606 helm.sh/chart: cert-manager-v0.11.0
5607roleRef:
5608 apiGroup: rbac.authorization.k8s.io
5609 kind: Role
5610 name: cert-manager:leaderelection
5611subjects:
5612 - apiGroup: ""
5613 kind: ServiceAccount
5614 name: cert-manager
5615 namespace: cert-manager
5616
5617---
5618
5619# Issuer controller role
5620apiVersion: rbac.authorization.k8s.io/v1beta1
5621kind: ClusterRole
5622metadata:
5623 name: cert-manager-controller-issuers
5624 labels:
5625 app: cert-manager
5626 app.kubernetes.io/name: cert-manager
5627 app.kubernetes.io/instance: cert-manager
5628 app.kubernetes.io/managed-by: Tiller
5629 helm.sh/chart: cert-manager-v0.11.0
5630rules:
5631 - apiGroups: ["cert-manager.io"]
5632 resources: ["issuers", "issuers/status"]
5633 verbs: ["update"]
5634 - apiGroups: ["cert-manager.io"]
5635 resources: ["issuers"]
5636 verbs: ["get", "list", "watch"]
5637 - apiGroups: [""]
5638 resources: ["secrets"]
5639 verbs: ["get", "list", "watch", "create", "update", "delete"]
5640 - apiGroups: [""]
5641 resources: ["events"]
5642 verbs: ["create", "patch"]
5643
5644---
5645
5646# ClusterIssuer controller role
5647apiVersion: rbac.authorization.k8s.io/v1beta1
5648kind: ClusterRole
5649metadata:
5650 name: cert-manager-controller-clusterissuers
5651 labels:
5652 app: cert-manager
5653 app.kubernetes.io/name: cert-manager
5654 app.kubernetes.io/instance: cert-manager
5655 app.kubernetes.io/managed-by: Tiller
5656 helm.sh/chart: cert-manager-v0.11.0
5657rules:
5658 - apiGroups: ["cert-manager.io"]
5659 resources: ["clusterissuers", "clusterissuers/status"]
5660 verbs: ["update"]
5661 - apiGroups: ["cert-manager.io"]
5662 resources: ["clusterissuers"]
5663 verbs: ["get", "list", "watch"]
5664 - apiGroups: [""]
5665 resources: ["secrets"]
5666 verbs: ["get", "list", "watch", "create", "update", "delete"]
5667 - apiGroups: [""]
5668 resources: ["events"]
5669 verbs: ["create", "patch"]
5670
5671---
5672
5673# Certificates controller role
5674apiVersion: rbac.authorization.k8s.io/v1beta1
5675kind: ClusterRole
5676metadata:
5677 name: cert-manager-controller-certificates
5678 labels:
5679 app: cert-manager
5680 app.kubernetes.io/name: cert-manager
5681 app.kubernetes.io/instance: cert-manager
5682 app.kubernetes.io/managed-by: Tiller
5683 helm.sh/chart: cert-manager-v0.11.0
5684rules:
5685 - apiGroups: ["cert-manager.io"]
5686 resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
5687 verbs: ["update"]
5688 - apiGroups: ["cert-manager.io"]
5689 resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
5690 verbs: ["get", "list", "watch"]
5691 # We require these rules to support users with the OwnerReferencesPermissionEnforcement
5692 # admission controller enabled:
5693 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
5694 - apiGroups: ["cert-manager.io"]
5695 resources: ["certificates/finalizers"]
5696 verbs: ["update"]
5697 - apiGroups: ["acme.cert-manager.io"]
5698 resources: ["orders"]
5699 verbs: ["create", "delete", "get", "list", "watch"]
5700 - apiGroups: [""]
5701 resources: ["secrets"]
5702 verbs: ["get", "list", "watch", "create", "update", "delete"]
5703 - apiGroups: [""]
5704 resources: ["events"]
5705 verbs: ["create", "patch"]
5706
5707---
5708
5709# Orders controller role
5710apiVersion: rbac.authorization.k8s.io/v1beta1
5711kind: ClusterRole
5712metadata:
5713 name: cert-manager-controller-orders
5714 labels:
5715 app: cert-manager
5716 app.kubernetes.io/name: cert-manager
5717 app.kubernetes.io/instance: cert-manager
5718 app.kubernetes.io/managed-by: Tiller
5719 helm.sh/chart: cert-manager-v0.11.0
5720rules:
5721 - apiGroups: ["acme.cert-manager.io"]
5722 resources: ["orders", "orders/status"]
5723 verbs: ["update"]
5724 - apiGroups: ["acme.cert-manager.io"]
5725 resources: ["orders", "challenges"]
5726 verbs: ["get", "list", "watch"]
5727 - apiGroups: ["cert-manager.io"]
5728 resources: ["clusterissuers", "issuers"]
5729 verbs: ["get", "list", "watch"]
5730 - apiGroups: ["acme.cert-manager.io"]
5731 resources: ["challenges"]
5732 verbs: ["create", "delete"]
5733 # We require these rules to support users with the OwnerReferencesPermissionEnforcement
5734 # admission controller enabled:
5735 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
5736 - apiGroups: ["acme.cert-manager.io"]
5737 resources: ["orders/finalizers"]
5738 verbs: ["update"]
5739 - apiGroups: [""]
5740 resources: ["secrets"]
5741 verbs: ["get", "list", "watch"]
5742 - apiGroups: [""]
5743 resources: ["events"]
5744 verbs: ["create", "patch"]
5745
5746---
5747
5748# Challenges controller role
5749apiVersion: rbac.authorization.k8s.io/v1beta1
5750kind: ClusterRole
5751metadata:
5752 name: cert-manager-controller-challenges
5753 labels:
5754 app: cert-manager
5755 app.kubernetes.io/name: cert-manager
5756 app.kubernetes.io/instance: cert-manager
5757 app.kubernetes.io/managed-by: Tiller
5758 helm.sh/chart: cert-manager-v0.11.0
5759rules:
5760 # Use to update challenge resource status
5761 - apiGroups: ["acme.cert-manager.io"]
5762 resources: ["challenges", "challenges/status"]
5763 verbs: ["update"]
5764 # Used to watch challenge resources
5765 - apiGroups: ["acme.cert-manager.io"]
5766 resources: ["challenges"]
5767 verbs: ["get", "list", "watch"]
5768 # Used to watch challenges, issuer and clusterissuer resources
5769 - apiGroups: ["cert-manager.io"]
5770 resources: ["issuers", "clusterissuers"]
5771 verbs: ["get", "list", "watch"]
5772 # Need to be able to retrieve ACME account private key to complete challenges
5773 - apiGroups: [""]
5774 resources: ["secrets"]
5775 verbs: ["get", "list", "watch"]
5776 # Used to create events
5777 - apiGroups: [""]
5778 resources: ["events"]
5779 verbs: ["create", "patch"]
5780 # HTTP01 rules
5781 - apiGroups: [""]
5782 resources: ["pods", "services"]
5783 verbs: ["get", "list", "watch", "create", "delete"]
5784 - apiGroups: ["extensions"]
5785 resources: ["ingresses"]
5786 verbs: ["get", "list", "watch", "create", "delete", "update"]
5787 # We require these rules to support users with the OwnerReferencesPermissionEnforcement
5788 # admission controller enabled:
5789 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
5790 - apiGroups: ["acme.cert-manager.io"]
5791 resources: ["challenges/finalizers"]
5792 verbs: ["update"]
5793 # DNS01 rules (duplicated above)
5794 - apiGroups: [""]
5795 resources: ["secrets"]
5796 verbs: ["get", "list", "watch"]
5797
5798---
5799
5800# ingress-shim controller role
5801apiVersion: rbac.authorization.k8s.io/v1beta1
5802kind: ClusterRole
5803metadata:
5804 name: cert-manager-controller-ingress-shim
5805 labels:
5806 app: cert-manager
5807 app.kubernetes.io/name: cert-manager
5808 app.kubernetes.io/instance: cert-manager
5809 app.kubernetes.io/managed-by: Tiller
5810 helm.sh/chart: cert-manager-v0.11.0
5811rules:
5812 - apiGroups: ["cert-manager.io"]
5813 resources: ["certificates", "certificaterequests"]
5814 verbs: ["create", "update", "delete"]
5815 - apiGroups: ["cert-manager.io"]
5816 resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
5817 verbs: ["get", "list", "watch"]
5818 - apiGroups: ["extensions"]
5819 resources: ["ingresses"]
5820 verbs: ["get", "list", "watch"]
5821 # We require these rules to support users with the OwnerReferencesPermissionEnforcement
5822 # admission controller enabled:
5823 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
5824 - apiGroups: ["extensions"]
5825 resources: ["ingresses/finalizers"]
5826 verbs: ["update"]
5827 - apiGroups: [""]
5828 resources: ["events"]
5829 verbs: ["create", "patch"]
5830
5831---
5832
5833apiVersion: rbac.authorization.k8s.io/v1beta1
5834kind: ClusterRoleBinding
5835metadata:
5836 name: cert-manager-leaderelection
5837 labels:
5838 app: cert-manager
5839 app.kubernetes.io/name: cert-manager
5840 app.kubernetes.io/instance: cert-manager
5841 app.kubernetes.io/managed-by: Tiller
5842 helm.sh/chart: cert-manager-v0.11.0
5843roleRef:
5844 apiGroup: rbac.authorization.k8s.io
5845 kind: ClusterRole
5846 name: cert-manager-leaderelection
5847subjects:
5848 - name: cert-manager
5849 namespace: "cert-manager"
5850 kind: ServiceAccount
5851
5852---
5853
5854apiVersion: rbac.authorization.k8s.io/v1beta1
5855kind: ClusterRoleBinding
5856metadata:
5857 name: cert-manager-controller-issuers
5858 labels:
5859 app: cert-manager
5860 app.kubernetes.io/name: cert-manager
5861 app.kubernetes.io/instance: cert-manager
5862 app.kubernetes.io/managed-by: Tiller
5863 helm.sh/chart: cert-manager-v0.11.0
5864roleRef:
5865 apiGroup: rbac.authorization.k8s.io
5866 kind: ClusterRole
5867 name: cert-manager-controller-issuers
5868subjects:
5869 - name: cert-manager
5870 namespace: "cert-manager"
5871 kind: ServiceAccount
5872
5873---
5874
5875apiVersion: rbac.authorization.k8s.io/v1beta1
5876kind: ClusterRoleBinding
5877metadata:
5878 name: cert-manager-controller-clusterissuers
5879 labels:
5880 app: cert-manager
5881 app.kubernetes.io/name: cert-manager
5882 app.kubernetes.io/instance: cert-manager
5883 app.kubernetes.io/managed-by: Tiller
5884 helm.sh/chart: cert-manager-v0.11.0
5885roleRef:
5886 apiGroup: rbac.authorization.k8s.io
5887 kind: ClusterRole
5888 name: cert-manager-controller-clusterissuers
5889subjects:
5890 - name: cert-manager
5891 namespace: "cert-manager"
5892 kind: ServiceAccount
5893
5894---
5895
5896apiVersion: rbac.authorization.k8s.io/v1beta1
5897kind: ClusterRoleBinding
5898metadata:
5899 name: cert-manager-controller-certificates
5900 labels:
5901 app: cert-manager
5902 app.kubernetes.io/name: cert-manager
5903 app.kubernetes.io/instance: cert-manager
5904 app.kubernetes.io/managed-by: Tiller
5905 helm.sh/chart: cert-manager-v0.11.0
5906roleRef:
5907 apiGroup: rbac.authorization.k8s.io
5908 kind: ClusterRole
5909 name: cert-manager-controller-certificates
5910subjects:
5911 - name: cert-manager
5912 namespace: "cert-manager"
5913 kind: ServiceAccount
5914
5915---
5916
5917apiVersion: rbac.authorization.k8s.io/v1beta1
5918kind: ClusterRoleBinding
5919metadata:
5920 name: cert-manager-controller-orders
5921 labels:
5922 app: cert-manager
5923 app.kubernetes.io/name: cert-manager
5924 app.kubernetes.io/instance: cert-manager
5925 app.kubernetes.io/managed-by: Tiller
5926 helm.sh/chart: cert-manager-v0.11.0
5927roleRef:
5928 apiGroup: rbac.authorization.k8s.io
5929 kind: ClusterRole
5930 name: cert-manager-controller-orders
5931subjects:
5932 - name: cert-manager
5933 namespace: "cert-manager"
5934 kind: ServiceAccount
5935
5936---
5937
5938apiVersion: rbac.authorization.k8s.io/v1beta1
5939kind: ClusterRoleBinding
5940metadata:
5941 name: cert-manager-controller-challenges
5942 labels:
5943 app: cert-manager
5944 app.kubernetes.io/name: cert-manager
5945 app.kubernetes.io/instance: cert-manager
5946 app.kubernetes.io/managed-by: Tiller
5947 helm.sh/chart: cert-manager-v0.11.0
5948roleRef:
5949 apiGroup: rbac.authorization.k8s.io
5950 kind: ClusterRole
5951 name: cert-manager-controller-challenges
5952subjects:
5953 - name: cert-manager
5954 namespace: "cert-manager"
5955 kind: ServiceAccount
5956
5957---
5958
5959apiVersion: rbac.authorization.k8s.io/v1beta1
5960kind: ClusterRoleBinding
5961metadata:
5962 name: cert-manager-controller-ingress-shim
5963 labels:
5964 app: cert-manager
5965 app.kubernetes.io/name: cert-manager
5966 app.kubernetes.io/instance: cert-manager
5967 app.kubernetes.io/managed-by: Tiller
5968 helm.sh/chart: cert-manager-v0.11.0
5969roleRef:
5970 apiGroup: rbac.authorization.k8s.io
5971 kind: ClusterRole
5972 name: cert-manager-controller-ingress-shim
5973subjects:
5974 - name: cert-manager
5975 namespace: "cert-manager"
5976 kind: ServiceAccount
5977
5978---
5979
5980apiVersion: rbac.authorization.k8s.io/v1
5981kind: ClusterRole
5982metadata:
5983 name: cert-manager-view
5984 labels:
5985 app: cert-manager
5986 app.kubernetes.io/name: cert-manager
5987 app.kubernetes.io/instance: cert-manager
5988 app.kubernetes.io/managed-by: Tiller
5989 helm.sh/chart: cert-manager-v0.11.0
5990 rbac.authorization.k8s.io/aggregate-to-view: "true"
5991 rbac.authorization.k8s.io/aggregate-to-edit: "true"
5992 rbac.authorization.k8s.io/aggregate-to-admin: "true"
5993rules:
5994 - apiGroups: ["cert-manager.io"]
5995 resources: ["certificates", "certificaterequests", "issuers"]
5996 verbs: ["get", "list", "watch"]
5997
5998---
5999
6000apiVersion: rbac.authorization.k8s.io/v1
6001kind: ClusterRole
6002metadata:
6003 name: cert-manager-edit
6004 labels:
6005 app: cert-manager
6006 app.kubernetes.io/name: cert-manager
6007 app.kubernetes.io/instance: cert-manager
6008 app.kubernetes.io/managed-by: Tiller
6009 helm.sh/chart: cert-manager-v0.11.0
6010 rbac.authorization.k8s.io/aggregate-to-edit: "true"
6011 rbac.authorization.k8s.io/aggregate-to-admin: "true"
6012rules:
6013 - apiGroups: ["cert-manager.io"]
6014 resources: ["certificates", "certificaterequests", "issuers"]
6015 verbs: ["create", "delete", "deletecollection", "patch", "update"]
6016
6017---
6018# Source: cert-manager/templates/service.yaml
6019
6020apiVersion: v1
6021kind: Service
6022metadata:
6023 name: cert-manager
6024 namespace: "cert-manager"
6025 labels:
6026 app: cert-manager
6027 app.kubernetes.io/name: cert-manager
6028 app.kubernetes.io/instance: cert-manager
6029 app.kubernetes.io/managed-by: Tiller
6030 helm.sh/chart: cert-manager-v0.11.0
6031spec:
6032 type: ClusterIP
6033 ports:
6034 - protocol: TCP
6035 port: 9402
6036 targetPort: 9402
6037 selector:
6038 app.kubernetes.io/name: cert-manager
6039 app.kubernetes.io/instance: cert-manager
6040
6041---
6042# Source: cert-manager/templates/webhook-service.yaml
6043apiVersion: v1
6044kind: Service
6045metadata:
6046 name: cert-manager-webhook
6047 namespace: "cert-manager"
6048 labels:
6049 app: webhook
6050 app.kubernetes.io/name: webhook
6051 app.kubernetes.io/instance: cert-manager
6052 app.kubernetes.io/managed-by: Tiller
6053 helm.sh/chart: cert-manager-v0.11.0
6054spec:
6055 type: ClusterIP
6056 ports:
6057 - name: https
6058 port: 443
6059 targetPort: 6443
6060 selector:
6061 app: webhook
6062 app.kubernetes.io/name: webhook
6063 app.kubernetes.io/instance: cert-manager
6064 app.kubernetes.io/managed-by: Tiller
6065---
6066# Source: cert-manager/charts/cainjector/templates/deployment.yaml
6067apiVersion: apps/v1
6068kind: Deployment
6069metadata:
6070 name: cert-manager-cainjector
6071 namespace: "cert-manager"
6072 labels:
6073 app: cainjector
6074 app.kubernetes.io/name: cainjector
6075 app.kubernetes.io/instance: cert-manager
6076 app.kubernetes.io/managed-by: Tiller
6077 helm.sh/chart: cainjector-v0.11.0
6078spec:
6079 replicas: 1
6080 selector:
6081 matchLabels:
6082 app: cainjector
6083 app.kubernetes.io/name: cainjector
6084 app.kubernetes.io/instance: cert-manager
6085 app.kubernetes.io/managed-by: Tiller
6086 template:
6087 metadata:
6088 labels:
6089 app: cainjector
6090 app.kubernetes.io/name: cainjector
6091 app.kubernetes.io/instance: cert-manager
6092 app.kubernetes.io/managed-by: Tiller
6093 helm.sh/chart: cainjector-v0.11.0
6094 annotations:
6095 spec:
6096 serviceAccountName: cert-manager-cainjector
6097 containers:
6098 - name: cainjector
6099 image: "quay.io/jetstack/cert-manager-cainjector-arm:v0.11.0"
6100 imagePullPolicy: IfNotPresent
6101 args:
6102 - --v=2
6103 - --leader-election-namespace=kube-system
6104 env:
6105 - name: POD_NAMESPACE
6106 valueFrom:
6107 fieldRef:
6108 fieldPath: metadata.namespace
6109 resources:
6110 {}
6111
6112
6113---
6114# Source: cert-manager/templates/deployment.yaml
6115apiVersion: apps/v1
6116kind: Deployment
6117metadata:
6118 name: cert-manager
6119 namespace: "cert-manager"
6120 labels:
6121 app: cert-manager
6122 app.kubernetes.io/name: cert-manager
6123 app.kubernetes.io/instance: cert-manager
6124 app.kubernetes.io/managed-by: Tiller
6125 helm.sh/chart: cert-manager-v0.11.0
6126spec:
6127 replicas: 1
6128 selector:
6129 matchLabels:
6130 app: cert-manager
6131 app.kubernetes.io/name: cert-manager
6132 app.kubernetes.io/instance: cert-manager
6133 app.kubernetes.io/managed-by: Tiller
6134 template:
6135 metadata:
6136 labels:
6137 app: cert-manager
6138 app.kubernetes.io/name: cert-manager
6139 app.kubernetes.io/instance: cert-manager
6140 app.kubernetes.io/managed-by: Tiller
6141 helm.sh/chart: cert-manager-v0.11.0
6142 annotations:
6143 prometheus.io/path: "/metrics"
6144 prometheus.io/scrape: 'true'
6145 prometheus.io/port: '9402'
6146 spec:
6147 serviceAccountName: cert-manager
6148 containers:
6149 - name: cert-manager
6150 image: "quay.io/jetstack/cert-manager-controller-arm:v0.11.0"
6151 imagePullPolicy: IfNotPresent
6152 args:
6153 - --v=2
6154 - --cluster-resource-namespace=$(POD_NAMESPACE)
6155 - --leader-election-namespace=kube-system
6156 - --webhook-namespace=$(POD_NAMESPACE)
6157 - --webhook-ca-secret=cert-manager-webhook-ca
6158 - --webhook-serving-secret=cert-manager-webhook-tls
6159 - --webhook-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc
6160 ports:
6161 - containerPort: 9402
6162 env:
6163 - name: POD_NAMESPACE
6164 valueFrom:
6165 fieldRef:
6166 fieldPath: metadata.namespace
6167 resources:
6168 requests:
6169 cpu: 10m
6170 memory: 32Mi
6171
6172
6173---
6174# Source: cert-manager/templates/webhook-deployment.yaml
6175apiVersion: apps/v1
6176kind: Deployment
6177metadata:
6178 name: cert-manager-webhook
6179 namespace: "cert-manager"
6180 labels:
6181 app: webhook
6182 app.kubernetes.io/name: webhook
6183 app.kubernetes.io/instance: cert-manager
6184 app.kubernetes.io/managed-by: Tiller
6185 helm.sh/chart: cert-manager-v0.11.0
6186spec:
6187 replicas: 1
6188 selector:
6189 matchLabels:
6190 app: webhook
6191 app.kubernetes.io/name: webhook
6192 app.kubernetes.io/instance: cert-manager
6193 app.kubernetes.io/managed-by: Tiller
6194 template:
6195 metadata:
6196 labels:
6197 app: webhook
6198 app.kubernetes.io/name: webhook
6199 app.kubernetes.io/instance: cert-manager
6200 app.kubernetes.io/managed-by: Tiller
6201 helm.sh/chart: cert-manager-v0.11.0
6202 annotations:
6203 spec:
6204 serviceAccountName: cert-manager-webhook
6205 containers:
6206 - name: cert-manager
6207 image: "quay.io/jetstack/cert-manager-webhook-arm:v0.11.0"
6208 imagePullPolicy: IfNotPresent
6209 args:
6210 - --v=2
6211 - --secure-port=6443
6212 - --tls-cert-file=/certs/tls.crt
6213 - --tls-private-key-file=/certs/tls.key
6214 env:
6215 - name: POD_NAMESPACE
6216 valueFrom:
6217 fieldRef:
6218 fieldPath: metadata.namespace
6219 resources:
6220 {}
6221
6222 volumeMounts:
6223 - name: certs
6224 mountPath: /certs
6225 volumes:
6226 - name: certs
6227 secret:
6228 secretName: cert-manager-webhook-tls
6229---
6230# Source: cert-manager/templates/webhook-apiservice.yaml
6231apiVersion: apiregistration.k8s.io/v1beta1
6232kind: APIService
6233metadata:
6234 name: v1beta1.webhook.cert-manager.io
6235 labels:
6236 app: webhook
6237 app.kubernetes.io/name: webhook
6238 app.kubernetes.io/instance: cert-manager
6239 app.kubernetes.io/managed-by: Tiller
6240 helm.sh/chart: cert-manager-v0.11.0
6241 annotations:
6242 cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-tls"
6243spec:
6244 group: webhook.cert-manager.io
6245 groupPriorityMinimum: 1000
6246 versionPriority: 15
6247 service:
6248 name: cert-manager-webhook
6249 namespace: "cert-manager"
6250 version: v1beta1
6251---
6252# Source: cert-manager/templates/webhook-mutating-webhook.yaml
6253apiVersion: admissionregistration.k8s.io/v1beta1
6254kind: MutatingWebhookConfiguration
6255metadata:
6256 name: cert-manager-webhook
6257 labels:
6258 app: webhook
6259 app.kubernetes.io/name: webhook
6260 app.kubernetes.io/instance: cert-manager
6261 app.kubernetes.io/managed-by: Tiller
6262 helm.sh/chart: cert-manager-v0.11.0
6263 annotations:
6264 cert-manager.io/inject-apiserver-ca: "true"
6265webhooks:
6266 - name: webhook.cert-manager.io
6267 rules:
6268 - apiGroups:
6269 - "cert-manager.io"
6270 apiVersions:
6271 - v1alpha2
6272 operations:
6273 - CREATE
6274 - UPDATE
6275 resources:
6276 - certificates
6277 - issuers
6278 - clusterissuers
6279 - orders
6280 - challenges
6281 - certificaterequests
6282 failurePolicy: Fail
6283 clientConfig:
6284 service:
6285 name: kubernetes
6286 namespace: default
6287 path: /apis/webhook.cert-manager.io/v1beta1/mutations
6288---
6289# Source: cert-manager/charts/cainjector/templates/psp-clusterrole.yaml
6290
6291
6292---
6293# Source: cert-manager/charts/cainjector/templates/psp-clusterrolebinding.yaml
6294
6295
6296---
6297# Source: cert-manager/charts/cainjector/templates/psp.yaml
6298
6299
6300---
6301# Source: cert-manager/templates/psp-clusterrole.yaml
6302
6303
6304---
6305# Source: cert-manager/templates/psp-clusterrolebinding.yaml
6306
6307
6308---
6309# Source: cert-manager/templates/psp.yaml
6310
6311
6312---
6313# Source: cert-manager/templates/servicemonitor.yaml
6314
6315
6316---
6317# Source: cert-manager/templates/webhook-validating-webhook.yaml
6318apiVersion: admissionregistration.k8s.io/v1beta1
6319kind: ValidatingWebhookConfiguration
6320metadata:
6321 name: cert-manager-webhook
6322 labels:
6323 app: webhook
6324 app.kubernetes.io/name: webhook
6325 app.kubernetes.io/instance: cert-manager
6326 app.kubernetes.io/managed-by: Tiller
6327 helm.sh/chart: cert-manager-v0.11.0
6328 annotations:
6329 cert-manager.io/inject-apiserver-ca: "true"
6330webhooks:
6331 - name: webhook.cert-manager.io
6332 namespaceSelector:
6333 matchExpressions:
6334 - key: "cert-manager.io/disable-validation"
6335 operator: "NotIn"
6336 values:
6337 - "true"
6338 - key: "name"
6339 operator: "NotIn"
6340 values:
6341 - cert-manager
6342 rules:
6343 - apiGroups:
6344 - "cert-manager.io"
6345 apiVersions:
6346 - v1alpha2
6347 operations:
6348 - CREATE
6349 - UPDATE
6350 resources:
6351 - certificates
6352 - issuers
6353 - clusterissuers
6354 - certificaterequests
6355 failurePolicy: Fail
6356 sideEffects: None
6357 clientConfig:
6358 service:
6359 name: kubernetes
6360 namespace: default
6361 path: /apis/webhook.cert-manager.io/v1beta1/validations