· 6 years ago · Mar 29, 2020, 09:44 AM
1apiVersion: apiextensions.k8s.io/v1beta1
2kind: CustomResourceDefinition
3metadata:
4 annotations:
5 cert-manager.io/inject-ca-from-secret: kube-apps/cert-manager-webhook-tls
6 name: certificaterequests.cert-manager.io
7spec:
8 additionalPrinterColumns:
9 - JSONPath: .status.conditions[?(@.type=="Ready")].status
10 name: Ready
11 type: string
12 - JSONPath: .spec.issuerRef.name
13 name: Issuer
14 priority: 1
15 type: string
16 - JSONPath: .status.conditions[?(@.type=="Ready")].message
17 name: Status
18 priority: 1
19 type: string
20 - JSONPath: .metadata.creationTimestamp
21 description: CreationTimestamp is a timestamp representing the server time when
22 this object was created. It is not guaranteed to be set in happens-before order
23 across separate operations. Clients may not set this value. It is represented
24 in RFC3339 form and is in UTC.
25 name: Age
26 type: date
27 conversion:
28 strategy: Webhook
29 webhookClientConfig:
30 service:
31 name: cert-manager-webhook
32 namespace: kube-apps
33 path: /convert
34 group: cert-manager.io
35 names:
36 kind: CertificateRequest
37 listKind: CertificateRequestList
38 plural: certificaterequests
39 shortNames:
40 - cr
41 - crs
42 singular: certificaterequest
43 preserveUnknownFields: false
44 scope: Namespaced
45 subresources:
46 status: {}
47 validation:
48 openAPIV3Schema:
49 description: CertificateRequest is a type to represent a Certificate Signing
50 Request
51 properties:
52 apiVersion:
53 description: 'APIVersion defines the versioned schema of this representation
54 of an object. Servers should convert recognized schemas to the latest
55 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
56 type: string
57 kind:
58 description: 'Kind is a string value representing the REST resource this
59 object represents. Servers may infer this from the endpoint the client
60 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
61 type: string
62 metadata:
63 type: object
64 spec:
65 description: CertificateRequestSpec defines the desired state of CertificateRequest
66 properties:
67 csr:
68 description: Byte slice containing the PEM encoded CertificateSigningRequest
69 format: byte
70 type: string
71 duration:
72 description: Requested certificate default Duration
73 type: string
74 isCA:
75 description: IsCA will mark the resulting certificate as valid for signing.
76 This implies that the 'cert sign' usage is set
77 type: boolean
78 issuerRef:
79 description: IssuerRef is a reference to the issuer for this CertificateRequest. If
80 the 'kind' field is not set, or set to 'Issuer', an Issuer resource
81 with the given name in the same namespace as the CertificateRequest
82 will be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
83 with the provided name will be used. The 'name' field in this stanza
84 is required at all times. The group field refers to the API group
85 of the issuer which defaults to 'cert-manager.io' if empty.
86 properties:
87 group:
88 type: string
89 kind:
90 type: string
91 name:
92 type: string
93 required:
94 - name
95 type: object
96 usages:
97 description: Usages is the set of x509 actions that are enabled for
98 a given key. Defaults are ('digital signature', 'key encipherment')
99 if empty
100 items:
101 description: 'KeyUsage specifies valid usage contexts for keys. See:
102 https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
103 Valid KeyUsage values are as follows: "signing", "digital signature",
104 "content commitment", "key encipherment", "key agreement", "data
105 encipherment", "cert sign", "crl sign", "encipher only", "decipher
106 only", "any", "server auth", "client auth", "code signing", "email
107 protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
108 user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
109 sgc"'
110 enum:
111 - signing
112 - digital signature
113 - content commitment
114 - key encipherment
115 - key agreement
116 - data encipherment
117 - cert sign
118 - crl sign
119 - encipher only
120 - decipher only
121 - any
122 - server auth
123 - client auth
124 - code signing
125 - email protection
126 - s/mime
127 - ipsec end system
128 - ipsec tunnel
129 - ipsec user
130 - timestamping
131 - ocsp signing
132 - microsoft sgc
133 - netscape sgc
134 type: string
135 type: array
136 required:
137 - csr
138 - issuerRef
139 type: object
140 status:
141 description: CertificateStatus defines the observed state of CertificateRequest
142 and resulting signed certificate.
143 properties:
144 ca:
145 description: Byte slice containing the PEM encoded certificate authority
146 of the signed certificate.
147 format: byte
148 type: string
149 certificate:
150 description: Byte slice containing a PEM encoded signed certificate
151 resulting from the given certificate signing request.
152 format: byte
153 type: string
154 conditions:
155 items:
156 description: CertificateRequestCondition contains condition information
157 for a CertificateRequest.
158 properties:
159 lastTransitionTime:
160 description: LastTransitionTime is the timestamp corresponding
161 to the last status change of this condition.
162 format: date-time
163 type: string
164 message:
165 description: Message is a human readable description of the details
166 of the last transition, complementing reason.
167 type: string
168 reason:
169 description: Reason is a brief machine readable explanation for
170 the condition's last transition.
171 type: string
172 status:
173 description: Status of the condition, one of ('True', 'False',
174 'Unknown').
175 enum:
176 - "True"
177 - "False"
178 - Unknown
179 type: string
180 type:
181 description: Type of the condition, currently ('Ready', 'InvalidRequest').
182 type: string
183 required:
184 - status
185 - type
186 type: object
187 type: array
188 failureTime:
189 description: FailureTime stores the time that this CertificateRequest
190 failed. This is used to influence garbage collection and back-off.
191 format: date-time
192 type: string
193 type: object
194 type: object
195 versions:
196 - name: v1alpha2
197 served: true
198 storage: true
199 - name: v1alpha3
200 served: true
201 storage: false
202---
203apiVersion: apiextensions.k8s.io/v1beta1
204kind: CustomResourceDefinition
205metadata:
206 annotations:
207 cert-manager.io/inject-ca-from-secret: kube-apps/cert-manager-webhook-tls
208 name: certificates.cert-manager.io
209spec:
210 additionalPrinterColumns:
211 - JSONPath: .status.conditions[?(@.type=="Ready")].status
212 name: Ready
213 type: string
214 - JSONPath: .spec.secretName
215 name: Secret
216 type: string
217 - JSONPath: .spec.issuerRef.name
218 name: Issuer
219 priority: 1
220 type: string
221 - JSONPath: .status.conditions[?(@.type=="Ready")].message
222 name: Status
223 priority: 1
224 type: string
225 - JSONPath: .metadata.creationTimestamp
226 description: CreationTimestamp is a timestamp representing the server time when
227 this object was created. It is not guaranteed to be set in happens-before order
228 across separate operations. Clients may not set this value. It is represented
229 in RFC3339 form and is in UTC.
230 name: Age
231 type: date
232 conversion:
233 strategy: Webhook
234 webhookClientConfig:
235 service:
236 name: cert-manager-webhook
237 namespace: kube-apps
238 path: /convert
239 group: cert-manager.io
240 names:
241 kind: Certificate
242 listKind: CertificateList
243 plural: certificates
244 shortNames:
245 - cert
246 - certs
247 singular: certificate
248 preserveUnknownFields: false
249 scope: Namespaced
250 subresources:
251 status: {}
252 versions:
253 - name: v1alpha2
254 schema:
255 openAPIV3Schema:
256 description: Certificate is a type to represent a Certificate from ACME
257 properties:
258 apiVersion:
259 description: 'APIVersion defines the versioned schema of this representation
260 of an object. Servers should convert recognized schemas to the latest
261 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
262 type: string
263 kind:
264 description: 'Kind is a string value representing the REST resource this
265 object represents. Servers may infer this from the endpoint the client
266 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
267 type: string
268 metadata:
269 type: object
270 spec:
271 description: CertificateSpec defines the desired state of Certificate.
272 A valid Certificate requires at least one of a CommonName, DNSName,
273 or URISAN to be valid.
274 properties:
275 commonName:
276 description: 'CommonName is a common name to be used on the Certificate.
277 The CommonName should have a length of 64 characters or fewer to
278 avoid generating invalid CSRs. This value is ignored by TLS clients
279 when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
280 type: string
281 dnsNames:
282 description: DNSNames is a list of subject alt names to be used on
283 the Certificate.
284 items:
285 type: string
286 type: array
287 duration:
288 description: Certificate default Duration
289 type: string
290 emailSANs:
291 description: EmailSANs is a list of Email Subject Alternative Names
292 to be set on this Certificate.
293 items:
294 type: string
295 type: array
296 ipAddresses:
297 description: IPAddresses is a list of IP addresses to be used on the
298 Certificate
299 items:
300 type: string
301 type: array
302 isCA:
303 description: IsCA will mark this Certificate as valid for signing.
304 This implies that the 'cert sign' usage is set
305 type: boolean
306 issuerRef:
307 description: IssuerRef is a reference to the issuer for this certificate.
308 If the 'kind' field is not set, or set to 'Issuer', an Issuer resource
309 with the given name in the same namespace as the Certificate will
310 be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
311 with the provided name will be used. The 'name' field in this stanza
312 is required at all times.
313 properties:
314 group:
315 type: string
316 kind:
317 type: string
318 name:
319 type: string
320 required:
321 - name
322 type: object
323 keyAlgorithm:
324 description: KeyAlgorithm is the private key algorithm of the corresponding
325 private key for this certificate. If provided, allowed values are
326 either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize
327 is not provided, key size of 256 will be used for "ecdsa" key algorithm
328 and key size of 2048 will be used for "rsa" key algorithm.
329 enum:
330 - rsa
331 - ecdsa
332 type: string
333 keyEncoding:
334 description: KeyEncoding is the private key cryptography standards
335 (PKCS) for this certificate's private key to be encoded in. If provided,
336 allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8,
337 respectively. If KeyEncoding is not specified, then PKCS#1 will
338 be used by default.
339 enum:
340 - pkcs1
341 - pkcs8
342 type: string
343 keySize:
344 description: KeySize is the key bit size of the corresponding private
345 key for this certificate. If provided, value must be between 2048
346 and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa",
347 and value must be one of (256, 384, 521) when KeyAlgorithm is set
348 to "ecdsa".
349 maximum: 8192
350 minimum: 0
351 type: integer
352 organization:
353 description: Organization is the organization to be used on the Certificate
354 items:
355 type: string
356 type: array
357 renewBefore:
358 description: Certificate renew before expiration duration
359 type: string
360 secretName:
361 description: SecretName is the name of the secret resource to store
362 this secret in
363 type: string
364 subject:
365 description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
366 properties:
367 countries:
368 description: Countries to be used on the Certificate.
369 items:
370 type: string
371 type: array
372 localities:
373 description: Cities to be used on the Certificate.
374 items:
375 type: string
376 type: array
377 organizationalUnits:
378 description: Organizational Units to be used on the Certificate.
379 items:
380 type: string
381 type: array
382 postalCodes:
383 description: Postal codes to be used on the Certificate.
384 items:
385 type: string
386 type: array
387 provinces:
388 description: State/Provinces to be used on the Certificate.
389 items:
390 type: string
391 type: array
392 serialNumber:
393 description: Serial number to be used on the Certificate.
394 type: string
395 streetAddresses:
396 description: Street addresses to be used on the Certificate.
397 items:
398 type: string
399 type: array
400 type: object
401 uriSANs:
402 description: URISANs is a list of URI Subject Alternative Names to
403 be set on this Certificate.
404 items:
405 type: string
406 type: array
407 usages:
408 description: Usages is the set of x509 actions that are enabled for
409 a given key. Defaults are ('digital signature', 'key encipherment')
410 if empty
411 items:
412 description: 'KeyUsage specifies valid usage contexts for keys.
413 See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
414 Valid KeyUsage values are as follows: "signing", "digital signature",
415 "content commitment", "key encipherment", "key agreement", "data
416 encipherment", "cert sign", "crl sign", "encipher only", "decipher
417 only", "any", "server auth", "client auth", "code signing", "email
418 protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
419 user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
420 sgc"'
421 enum:
422 - signing
423 - digital signature
424 - content commitment
425 - key encipherment
426 - key agreement
427 - data encipherment
428 - cert sign
429 - crl sign
430 - encipher only
431 - decipher only
432 - any
433 - server auth
434 - client auth
435 - code signing
436 - email protection
437 - s/mime
438 - ipsec end system
439 - ipsec tunnel
440 - ipsec user
441 - timestamping
442 - ocsp signing
443 - microsoft sgc
444 - netscape sgc
445 type: string
446 type: array
447 required:
448 - issuerRef
449 - secretName
450 type: object
451 status:
452 description: CertificateStatus defines the observed state of Certificate
453 properties:
454 conditions:
455 items:
456 description: CertificateCondition contains condition information
457 for an Certificate.
458 properties:
459 lastTransitionTime:
460 description: LastTransitionTime is the timestamp corresponding
461 to the last status change of this condition.
462 format: date-time
463 type: string
464 message:
465 description: Message is a human readable description of the
466 details of the last transition, complementing reason.
467 type: string
468 reason:
469 description: Reason is a brief machine readable explanation
470 for the condition's last transition.
471 type: string
472 status:
473 description: Status of the condition, one of ('True', 'False',
474 'Unknown').
475 enum:
476 - "True"
477 - "False"
478 - Unknown
479 type: string
480 type:
481 description: Type of the condition, currently ('Ready').
482 type: string
483 required:
484 - status
485 - type
486 type: object
487 type: array
488 lastFailureTime:
489 format: date-time
490 type: string
491 notAfter:
492 description: The expiration time of the certificate stored in the
493 secret named by this resource in spec.secretName.
494 format: date-time
495 type: string
496 type: object
497 type: object
498 served: true
499 storage: true
500 - name: v1alpha3
501 schema:
502 openAPIV3Schema:
503 description: Certificate is a type to represent a Certificate from ACME
504 properties:
505 apiVersion:
506 description: 'APIVersion defines the versioned schema of this representation
507 of an object. Servers should convert recognized schemas to the latest
508 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
509 type: string
510 kind:
511 description: 'Kind is a string value representing the REST resource this
512 object represents. Servers may infer this from the endpoint the client
513 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
514 type: string
515 metadata:
516 type: object
517 spec:
518 description: CertificateSpec defines the desired state of Certificate.
519 A valid Certificate requires at least one of a CommonName, DNSName,
520 or URISAN to be valid.
521 properties:
522 commonName:
523 description: 'CommonName is a common name to be used on the Certificate.
524 The CommonName should have a length of 64 characters or fewer to
525 avoid generating invalid CSRs. This value is ignored by TLS clients
526 when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
527 type: string
528 dnsNames:
529 description: DNSNames is a list of subject alt names to be used on
530 the Certificate.
531 items:
532 type: string
533 type: array
534 duration:
535 description: Certificate default Duration
536 type: string
537 emailSANs:
538 description: EmailSANs is a list of Email Subject Alternative Names
539 to be set on this Certificate.
540 items:
541 type: string
542 type: array
543 ipAddresses:
544 description: IPAddresses is a list of IP addresses to be used on the
545 Certificate
546 items:
547 type: string
548 type: array
549 isCA:
550 description: IsCA will mark this Certificate as valid for signing.
551 This implies that the 'cert sign' usage is set
552 type: boolean
553 issuerRef:
554 description: IssuerRef is a reference to the issuer for this certificate.
555 If the 'kind' field is not set, or set to 'Issuer', an Issuer resource
556 with the given name in the same namespace as the Certificate will
557 be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
558 with the provided name will be used. The 'name' field in this stanza
559 is required at all times.
560 properties:
561 group:
562 type: string
563 kind:
564 type: string
565 name:
566 type: string
567 required:
568 - name
569 type: object
570 keyAlgorithm:
571 description: KeyAlgorithm is the private key algorithm of the corresponding
572 private key for this certificate. If provided, allowed values are
573 either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize
574 is not provided, key size of 256 will be used for "ecdsa" key algorithm
575 and key size of 2048 will be used for "rsa" key algorithm.
576 enum:
577 - rsa
578 - ecdsa
579 type: string
580 keyEncoding:
581 description: KeyEncoding is the private key cryptography standards
582 (PKCS) for this certificate's private key to be encoded in. If provided,
583 allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8,
584 respectively. If KeyEncoding is not specified, then PKCS#1 will
585 be used by default.
586 enum:
587 - pkcs1
588 - pkcs8
589 type: string
590 keySize:
591 description: KeySize is the key bit size of the corresponding private
592 key for this certificate. If provided, value must be between 2048
593 and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa",
594 and value must be one of (256, 384, 521) when KeyAlgorithm is set
595 to "ecdsa".
596 maximum: 8192
597 minimum: 0
598 type: integer
599 renewBefore:
600 description: Certificate renew before expiration duration
601 type: string
602 secretName:
603 description: SecretName is the name of the secret resource to store
604 this secret in
605 type: string
606 subject:
607 description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
608 properties:
609 countries:
610 description: Countries to be used on the Certificate.
611 items:
612 type: string
613 type: array
614 localities:
615 description: Cities to be used on the Certificate.
616 items:
617 type: string
618 type: array
619 organizationalUnits:
620 description: Organizational Units to be used on the Certificate.
621 items:
622 type: string
623 type: array
624 organizations:
625 description: Organizations to be used on the Certificate.
626 items:
627 type: string
628 type: array
629 postalCodes:
630 description: Postal codes to be used on the Certificate.
631 items:
632 type: string
633 type: array
634 provinces:
635 description: State/Provinces to be used on the Certificate.
636 items:
637 type: string
638 type: array
639 serialNumber:
640 description: Serial number to be used on the Certificate.
641 type: string
642 streetAddresses:
643 description: Street addresses to be used on the Certificate.
644 items:
645 type: string
646 type: array
647 type: object
648 uriSANs:
649 description: URISANs is a list of URI Subject Alternative Names to
650 be set on this Certificate.
651 items:
652 type: string
653 type: array
654 usages:
655 description: Usages is the set of x509 actions that are enabled for
656 a given key. Defaults are ('digital signature', 'key encipherment')
657 if empty
658 items:
659 description: 'KeyUsage specifies valid usage contexts for keys.
660 See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
661 Valid KeyUsage values are as follows: "signing", "digital signature",
662 "content commitment", "key encipherment", "key agreement", "data
663 encipherment", "cert sign", "crl sign", "encipher only", "decipher
664 only", "any", "server auth", "client auth", "code signing", "email
665 protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
666 user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
667 sgc"'
668 enum:
669 - signing
670 - digital signature
671 - content commitment
672 - key encipherment
673 - key agreement
674 - data encipherment
675 - cert sign
676 - crl sign
677 - encipher only
678 - decipher only
679 - any
680 - server auth
681 - client auth
682 - code signing
683 - email protection
684 - s/mime
685 - ipsec end system
686 - ipsec tunnel
687 - ipsec user
688 - timestamping
689 - ocsp signing
690 - microsoft sgc
691 - netscape sgc
692 type: string
693 type: array
694 required:
695 - issuerRef
696 - secretName
697 type: object
698 status:
699 description: CertificateStatus defines the observed state of Certificate
700 properties:
701 conditions:
702 items:
703 description: CertificateCondition contains condition information
704 for an Certificate.
705 properties:
706 lastTransitionTime:
707 description: LastTransitionTime is the timestamp corresponding
708 to the last status change of this condition.
709 format: date-time
710 type: string
711 message:
712 description: Message is a human readable description of the
713 details of the last transition, complementing reason.
714 type: string
715 reason:
716 description: Reason is a brief machine readable explanation
717 for the condition's last transition.
718 type: string
719 status:
720 description: Status of the condition, one of ('True', 'False',
721 'Unknown').
722 enum:
723 - "True"
724 - "False"
725 - Unknown
726 type: string
727 type:
728 description: Type of the condition, currently ('Ready').
729 type: string
730 required:
731 - status
732 - type
733 type: object
734 type: array
735 lastFailureTime:
736 format: date-time
737 type: string
738 notAfter:
739 description: The expiration time of the certificate stored in the
740 secret named by this resource in spec.secretName.
741 format: date-time
742 type: string
743 type: object
744 type: object
745 served: true
746 storage: false
747---
748apiVersion: apiextensions.k8s.io/v1beta1
749kind: CustomResourceDefinition
750metadata:
751 annotations:
752 cert-manager.io/inject-ca-from-secret: kube-apps/cert-manager-webhook-tls
753 name: challenges.acme.cert-manager.io
754spec:
755 additionalPrinterColumns:
756 - JSONPath: .status.state
757 name: State
758 type: string
759 - JSONPath: .spec.dnsName
760 name: Domain
761 type: string
762 - JSONPath: .status.reason
763 name: Reason
764 priority: 1
765 type: string
766 - JSONPath: .metadata.creationTimestamp
767 description: CreationTimestamp is a timestamp representing the server time when
768 this object was created. It is not guaranteed to be set in happens-before order
769 across separate operations. Clients may not set this value. It is represented
770 in RFC3339 form and is in UTC.
771 name: Age
772 type: date
773 conversion:
774 strategy: Webhook
775 webhookClientConfig:
776 service:
777 name: cert-manager-webhook
778 namespace: kube-apps
779 path: /convert
780 group: acme.cert-manager.io
781 names:
782 kind: Challenge
783 listKind: ChallengeList
784 plural: challenges
785 singular: challenge
786 preserveUnknownFields: false
787 scope: Namespaced
788 subresources:
789 status: {}
790 validation:
791 openAPIV3Schema:
792 description: Challenge is a type to represent a Challenge request with an ACME
793 server
794 properties:
795 apiVersion:
796 description: 'APIVersion defines the versioned schema of this representation
797 of an object. Servers should convert recognized schemas to the latest
798 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
799 type: string
800 kind:
801 description: 'Kind is a string value representing the REST resource this
802 object represents. Servers may infer this from the endpoint the client
803 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
804 type: string
805 metadata:
806 type: object
807 spec:
808 properties:
809 authzURL:
810 description: AuthzURL is the URL to the ACME Authorization resource
811 that this challenge is a part of.
812 type: string
813 dnsName:
814 description: DNSName is the identifier that this challenge is for, e.g.
815 example.com.
816 type: string
817 issuerRef:
818 description: IssuerRef references a properly configured ACME-type Issuer
819 which should be used to create this Challenge. If the Issuer does
820 not exist, processing will be retried. If the Issuer is not an 'ACME'
821 Issuer, an error will be returned and the Challenge will be marked
822 as failed.
823 properties:
824 group:
825 type: string
826 kind:
827 type: string
828 name:
829 type: string
830 required:
831 - name
832 type: object
833 key:
834 description: Key is the ACME challenge key for this challenge
835 type: string
836 solver:
837 description: Solver contains the domain solving configuration that should
838 be used to solve this challenge resource.
839 properties:
840 dns01:
841 properties:
842 acmedns:
843 description: ACMEIssuerDNS01ProviderAcmeDNS is a structure containing
844 the configuration for ACME-DNS servers
845 properties:
846 accountSecretRef:
847 properties:
848 key:
849 description: The key of the secret to select from. Must
850 be a valid secret key.
851 type: string
852 name:
853 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
854 TODO: Add other useful fields. apiVersion, kind, uid?'
855 type: string
856 required:
857 - name
858 type: object
859 host:
860 type: string
861 required:
862 - accountSecretRef
863 - host
864 type: object
865 akamai:
866 description: ACMEIssuerDNS01ProviderAkamai is a structure containing
867 the DNS configuration for Akamai DNS—Zone Record Management
868 API
869 properties:
870 accessTokenSecretRef:
871 properties:
872 key:
873 description: The key of the secret to select from. Must
874 be a valid secret key.
875 type: string
876 name:
877 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
878 TODO: Add other useful fields. apiVersion, kind, uid?'
879 type: string
880 required:
881 - name
882 type: object
883 clientSecretSecretRef:
884 properties:
885 key:
886 description: The key of the secret to select from. Must
887 be a valid secret key.
888 type: string
889 name:
890 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
891 TODO: Add other useful fields. apiVersion, kind, uid?'
892 type: string
893 required:
894 - name
895 type: object
896 clientTokenSecretRef:
897 properties:
898 key:
899 description: The key of the secret to select from. Must
900 be a valid secret key.
901 type: string
902 name:
903 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
904 TODO: Add other useful fields. apiVersion, kind, uid?'
905 type: string
906 required:
907 - name
908 type: object
909 serviceConsumerDomain:
910 type: string
911 required:
912 - accessTokenSecretRef
913 - clientSecretSecretRef
914 - clientTokenSecretRef
915 - serviceConsumerDomain
916 type: object
917 azuredns:
918 description: ACMEIssuerDNS01ProviderAzureDNS is a structure
919 containing the configuration for Azure DNS
920 properties:
921 clientID:
922 type: string
923 clientSecretSecretRef:
924 properties:
925 key:
926 description: The key of the secret to select from. Must
927 be a valid secret key.
928 type: string
929 name:
930 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
931 TODO: Add other useful fields. apiVersion, kind, uid?'
932 type: string
933 required:
934 - name
935 type: object
936 environment:
937 enum:
938 - AzurePublicCloud
939 - AzureChinaCloud
940 - AzureGermanCloud
941 - AzureUSGovernmentCloud
942 type: string
943 hostedZoneName:
944 type: string
945 resourceGroupName:
946 type: string
947 subscriptionID:
948 type: string
949 tenantID:
950 type: string
951 required:
952 - clientID
953 - clientSecretSecretRef
954 - resourceGroupName
955 - subscriptionID
956 - tenantID
957 type: object
958 clouddns:
959 description: ACMEIssuerDNS01ProviderCloudDNS is a structure
960 containing the DNS configuration for Google Cloud DNS
961 properties:
962 project:
963 type: string
964 serviceAccountSecretRef:
965 properties:
966 key:
967 description: The key of the secret to select from. Must
968 be a valid secret key.
969 type: string
970 name:
971 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
972 TODO: Add other useful fields. apiVersion, kind, uid?'
973 type: string
974 required:
975 - name
976 type: object
977 required:
978 - project
979 type: object
980 cloudflare:
981 description: ACMEIssuerDNS01ProviderCloudflare is a structure
982 containing the DNS configuration for Cloudflare
983 properties:
984 apiKeySecretRef:
985 properties:
986 key:
987 description: The key of the secret to select from. Must
988 be a valid secret key.
989 type: string
990 name:
991 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
992 TODO: Add other useful fields. apiVersion, kind, uid?'
993 type: string
994 required:
995 - name
996 type: object
997 apiTokenSecretRef:
998 properties:
999 key:
1000 description: The key of the secret to select from. Must
1001 be a valid secret key.
1002 type: string
1003 name:
1004 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
1005 TODO: Add other useful fields. apiVersion, kind, uid?'
1006 type: string
1007 required:
1008 - name
1009 type: object
1010 email:
1011 type: string
1012 required:
1013 - email
1014 type: object
1015 cnameStrategy:
1016 description: CNAMEStrategy configures how the DNS01 provider
1017 should handle CNAME records when found in DNS zones.
1018 enum:
1019 - None
1020 - Follow
1021 type: string
1022 digitalocean:
1023 description: ACMEIssuerDNS01ProviderDigitalOcean is a structure
1024 containing the DNS configuration for DigitalOcean Domains
1025 properties:
1026 tokenSecretRef:
1027 properties:
1028 key:
1029 description: The key of the secret to select from. Must
1030 be a valid secret key.
1031 type: string
1032 name:
1033 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
1034 TODO: Add other useful fields. apiVersion, kind, uid?'
1035 type: string
1036 required:
1037 - name
1038 type: object
1039 required:
1040 - tokenSecretRef
1041 type: object
1042 rfc2136:
1043 description: ACMEIssuerDNS01ProviderRFC2136 is a structure containing
1044 the configuration for RFC2136 DNS
1045 properties:
1046 nameserver:
1047 description: 'The IP address of the DNS supporting RFC2136.
1048 Required. Note: FQDN is not a valid value, only IP.'
1049 type: string
1050 tsigAlgorithm:
1051 description: 'The TSIG Algorithm configured in the DNS supporting
1052 RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName``
1053 are defined. Supported values are (case-insensitive):
1054 ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or
1055 ``HMACSHA512``.'
1056 type: string
1057 tsigKeyName:
1058 description: The TSIG Key name configured in the DNS. If
1059 ``tsigSecretSecretRef`` is defined, this field is required.
1060 type: string
1061 tsigSecretSecretRef:
1062 description: The name of the secret containing the TSIG
1063 value. If ``tsigKeyName`` is defined, this field is required.
1064 properties:
1065 key:
1066 description: The key of the secret to select from. Must
1067 be a valid secret key.
1068 type: string
1069 name:
1070 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
1071 TODO: Add other useful fields. apiVersion, kind, uid?'
1072 type: string
1073 required:
1074 - name
1075 type: object
1076 required:
1077 - nameserver
1078 type: object
1079 route53:
1080 description: ACMEIssuerDNS01ProviderRoute53 is a structure containing
1081 the Route 53 configuration for AWS
1082 properties:
1083 accessKeyID:
1084 description: 'The AccessKeyID is used for authentication.
1085 If not set we fall-back to using env vars, shared credentials
1086 file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
1087 type: string
1088 hostedZoneID:
1089 description: If set, the provider will manage only this
1090 zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName
1091 api call.
1092 type: string
1093 region:
1094 description: Always set the region when using AccessKeyID
1095 and SecretAccessKey
1096 type: string
1097 role:
1098 description: Role is a Role ARN which the Route53 provider
1099 will assume using either the explicit credentials AccessKeyID/SecretAccessKey
1100 or the inferred credentials from environment variables,
1101 shared credentials file or AWS Instance metadata
1102 type: string
1103 secretAccessKeySecretRef:
1104 description: The SecretAccessKey is used for authentication.
1105 If not set we fall-back to using env vars, shared credentials
1106 file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
1107 properties:
1108 key:
1109 description: The key of the secret to select from. Must
1110 be a valid secret key.
1111 type: string
1112 name:
1113 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
1114 TODO: Add other useful fields. apiVersion, kind, uid?'
1115 type: string
1116 required:
1117 - name
1118 type: object
1119 required:
1120 - region
1121 type: object
1122 webhook:
1123 description: ACMEIssuerDNS01ProviderWebhook specifies configuration
1124 for a webhook DNS01 provider, including where to POST ChallengePayload
1125 resources.
1126 properties:
1127 config:
1128 description: Additional configuration that should be passed
1129 to the webhook apiserver when challenges are processed.
1130 This can contain arbitrary JSON data. Secret values should
1131 not be specified in this stanza. If secret values are
1132 needed (e.g. credentials for a DNS service), you should
1133 use a SecretKeySelector to reference a Secret resource.
1134 For details on the schema of this field, consult the webhook
1135 provider implementation's documentation.
1136 x-kubernetes-preserve-unknown-fields: true
1137 groupName:
1138 description: The API group name that should be used when
1139 POSTing ChallengePayload resources to the webhook apiserver.
1140 This should be the same as the GroupName specified in
1141 the webhook provider implementation.
1142 type: string
1143 solverName:
1144 description: The name of the solver to use, as defined in
1145 the webhook provider implementation. This will typically
1146 be the name of the provider, e.g. 'cloudflare'.
1147 type: string
1148 required:
1149 - groupName
1150 - solverName
1151 type: object
1152 type: object
1153 http01:
1154 description: ACMEChallengeSolverHTTP01 contains configuration detailing
1155 how to solve HTTP01 challenges within a Kubernetes cluster. Typically
1156 this is accomplished through creating 'routes' of some description
1157 that configure ingress controllers to direct traffic to 'solver
1158 pods', which are responsible for responding to the ACME server's
1159 HTTP requests.
1160 properties:
1161 ingress:
1162 description: The ingress based HTTP01 challenge solver will
1163 solve challenges by creating or modifying Ingress resources
1164 in order to route requests for '/.well-known/acme-challenge/XYZ'
1165 to 'challenge solver' pods that are provisioned by cert-manager
1166 for each Challenge to be completed.
1167 properties:
1168 class:
1169 description: The ingress class to use when creating Ingress
1170 resources to solve ACME challenges that use this challenge
1171 solver. Only one of 'class' or 'name' may be specified.
1172 type: string
1173 name:
1174 description: The name of the ingress resource that should
1175 have ACME challenge solving routes inserted into it in
1176 order to solve HTTP01 challenges. This is typically used
1177 in conjunction with ingress controllers like ingress-gce,
1178 which maintains a 1:1 mapping between external IPs and
1179 ingress resources.
1180 type: string
1181 podTemplate:
1182 description: Optional pod template used to configure the
1183 ACME challenge solver pods used for HTTP01 challenges
1184 properties:
1185 metadata:
1186 description: ObjectMeta overrides for the pod used to
1187 solve HTTP01 challenges. Only the 'labels' and 'annotations'
1188 fields may be set. If labels or annotations overlap
1189 with in-built values, the values here will override
1190 the in-built values.
1191 properties:
1192 annotations:
1193 additionalProperties:
1194 type: string
1195 description: Annotations that should be added to
1196 the create ACME HTTP01 solver pods.
1197 type: object
1198 labels:
1199 additionalProperties:
1200 type: string
1201 description: Labels that should be added to the
1202 created ACME HTTP01 solver pods.
1203 type: object
1204 type: object
1205 spec:
1206 description: PodSpec defines overrides for the HTTP01
1207 challenge solver pod. Only the 'nodeSelector', 'affinity'
1208 and 'tolerations' fields are supported currently.
1209 All other fields will be ignored.
1210 properties:
1211 affinity:
1212 description: If specified, the pod's scheduling
1213 constraints
1214 properties:
1215 nodeAffinity:
1216 description: Describes node affinity scheduling
1217 rules for the pod.
1218 properties:
1219 preferredDuringSchedulingIgnoredDuringExecution:
1220 description: The scheduler will prefer to
1221 schedule pods to nodes that satisfy the
1222 affinity expressions specified by this
1223 field, but it may choose a node that violates
1224 one or more of the expressions. The node
1225 that is most preferred is the one with
1226 the greatest sum of weights, i.e. for
1227 each node that meets all of the scheduling
1228 requirements (resource request, requiredDuringScheduling
1229 affinity expressions, etc.), compute a
1230 sum by iterating through the elements
1231 of this field and adding "weight" to the
1232 sum if the node matches the corresponding
1233 matchExpressions; the node(s) with the
1234 highest sum are the most preferred.
1235 items:
1236 description: An empty preferred scheduling
1237 term matches all objects with implicit
1238 weight 0 (i.e. it's a no-op). A null
1239 preferred scheduling term matches no
1240 objects (i.e. is also a no-op).
1241 properties:
1242 preference:
1243 description: A node selector term,
1244 associated with the corresponding
1245 weight.
1246 properties:
1247 matchExpressions:
1248 description: A list of node selector
1249 requirements by node's labels.
1250 items:
1251 description: A node selector
1252 requirement is a selector
1253 that contains values, a key,
1254 and an operator that relates
1255 the key and values.
1256 properties:
1257 key:
1258 description: The label key
1259 that the selector applies
1260 to.
1261 type: string
1262 operator:
1263 description: Represents
1264 a key's relationship to
1265 a set of values. Valid
1266 operators are In, NotIn,
1267 Exists, DoesNotExist.
1268 Gt, and Lt.
1269 type: string
1270 values:
1271 description: An array of
1272 string values. If the
1273 operator is In or NotIn,
1274 the values array must
1275 be non-empty. If the operator
1276 is Exists or DoesNotExist,
1277 the values array must
1278 be empty. If the operator
1279 is Gt or Lt, the values
1280 array must have a single
1281 element, which will be
1282 interpreted as an integer.
1283 This array is replaced
1284 during a strategic merge
1285 patch.
1286 items:
1287 type: string
1288 type: array
1289 required:
1290 - key
1291 - operator
1292 type: object
1293 type: array
1294 matchFields:
1295 description: A list of node selector
1296 requirements by node's fields.
1297 items:
1298 description: A node selector
1299 requirement is a selector
1300 that contains values, a key,
1301 and an operator that relates
1302 the key and values.
1303 properties:
1304 key:
1305 description: The label key
1306 that the selector applies
1307 to.
1308 type: string
1309 operator:
1310 description: Represents
1311 a key's relationship to
1312 a set of values. Valid
1313 operators are In, NotIn,
1314 Exists, DoesNotExist.
1315 Gt, and Lt.
1316 type: string
1317 values:
1318 description: An array of
1319 string values. If the
1320 operator is In or NotIn,
1321 the values array must
1322 be non-empty. If the operator
1323 is Exists or DoesNotExist,
1324 the values array must
1325 be empty. If the operator
1326 is Gt or Lt, the values
1327 array must have a single
1328 element, which will be
1329 interpreted as an integer.
1330 This array is replaced
1331 during a strategic merge
1332 patch.
1333 items:
1334 type: string
1335 type: array
1336 required:
1337 - key
1338 - operator
1339 type: object
1340 type: array
1341 type: object
1342 weight:
1343 description: Weight associated with
1344 matching the corresponding nodeSelectorTerm,
1345 in the range 1-100.
1346 format: int32
1347 type: integer
1348 required:
1349 - preference
1350 - weight
1351 type: object
1352 type: array
1353 requiredDuringSchedulingIgnoredDuringExecution:
1354 description: If the affinity requirements
1355 specified by this field are not met at
1356 scheduling time, the pod will not be scheduled
1357 onto the node. If the affinity requirements
1358 specified by this field cease to be met
1359 at some point during pod execution (e.g.
1360 due to an update), the system may or may
1361 not try to eventually evict the pod from
1362 its node.
1363 properties:
1364 nodeSelectorTerms:
1365 description: Required. A list of node
1366 selector terms. The terms are ORed.
1367 items:
1368 description: A null or empty node
1369 selector term matches no objects.
1370 The requirements of them are ANDed.
1371 The TopologySelectorTerm type implements
1372 a subset of the NodeSelectorTerm.
1373 properties:
1374 matchExpressions:
1375 description: A list of node selector
1376 requirements by node's labels.
1377 items:
1378 description: A node selector
1379 requirement is a selector
1380 that contains values, a key,
1381 and an operator that relates
1382 the key and values.
1383 properties:
1384 key:
1385 description: The label key
1386 that the selector applies
1387 to.
1388 type: string
1389 operator:
1390 description: Represents
1391 a key's relationship to
1392 a set of values. Valid
1393 operators are In, NotIn,
1394 Exists, DoesNotExist.
1395 Gt, and Lt.
1396 type: string
1397 values:
1398 description: An array of
1399 string values. If the
1400 operator is In or NotIn,
1401 the values array must
1402 be non-empty. If the operator
1403 is Exists or DoesNotExist,
1404 the values array must
1405 be empty. If the operator
1406 is Gt or Lt, the values
1407 array must have a single
1408 element, which will be
1409 interpreted as an integer.
1410 This array is replaced
1411 during a strategic merge
1412 patch.
1413 items:
1414 type: string
1415 type: array
1416 required:
1417 - key
1418 - operator
1419 type: object
1420 type: array
1421 matchFields:
1422 description: A list of node selector
1423 requirements by node's fields.
1424 items:
1425 description: A node selector
1426 requirement is a selector
1427 that contains values, a key,
1428 and an operator that relates
1429 the key and values.
1430 properties:
1431 key:
1432 description: The label key
1433 that the selector applies
1434 to.
1435 type: string
1436 operator:
1437 description: Represents
1438 a key's relationship to
1439 a set of values. Valid
1440 operators are In, NotIn,
1441 Exists, DoesNotExist.
1442 Gt, and Lt.
1443 type: string
1444 values:
1445 description: An array of
1446 string values. If the
1447 operator is In or NotIn,
1448 the values array must
1449 be non-empty. If the operator
1450 is Exists or DoesNotExist,
1451 the values array must
1452 be empty. If the operator
1453 is Gt or Lt, the values
1454 array must have a single
1455 element, which will be
1456 interpreted as an integer.
1457 This array is replaced
1458 during a strategic merge
1459 patch.
1460 items:
1461 type: string
1462 type: array
1463 required:
1464 - key
1465 - operator
1466 type: object
1467 type: array
1468 type: object
1469 type: array
1470 required:
1471 - nodeSelectorTerms
1472 type: object
1473 type: object
1474 podAffinity:
1475 description: Describes pod affinity scheduling
1476 rules (e.g. co-locate this pod in the same
1477 node, zone, etc. as some other pod(s)).
1478 properties:
1479 preferredDuringSchedulingIgnoredDuringExecution:
1480 description: The scheduler will prefer to
1481 schedule pods to nodes that satisfy the
1482 affinity expressions specified by this
1483 field, but it may choose a node that violates
1484 one or more of the expressions. The node
1485 that is most preferred is the one with
1486 the greatest sum of weights, i.e. for
1487 each node that meets all of the scheduling
1488 requirements (resource request, requiredDuringScheduling
1489 affinity expressions, etc.), compute a
1490 sum by iterating through the elements
1491 of this field and adding "weight" to the
1492 sum if the node has pods which matches
1493 the corresponding podAffinityTerm; the
1494 node(s) with the highest sum are the most
1495 preferred.
1496 items:
1497 description: The weights of all of the
1498 matched WeightedPodAffinityTerm fields
1499 are added per-node to find the most
1500 preferred node(s)
1501 properties:
1502 podAffinityTerm:
1503 description: Required. A pod affinity
1504 term, associated with the corresponding
1505 weight.
1506 properties:
1507 labelSelector:
1508 description: A label query over
1509 a set of resources, in this
1510 case pods.
1511 properties:
1512 matchExpressions:
1513 description: matchExpressions
1514 is a list of label selector
1515 requirements. The requirements
1516 are ANDed.
1517 items:
1518 description: A label selector
1519 requirement is a selector
1520 that contains values,
1521 a key, and an operator
1522 that relates the key and
1523 values.
1524 properties:
1525 key:
1526 description: key is
1527 the label key that
1528 the selector applies
1529 to.
1530 type: string
1531 operator:
1532 description: operator
1533 represents a key's
1534 relationship to a
1535 set of values. Valid
1536 operators are In,
1537 NotIn, Exists and
1538 DoesNotExist.
1539 type: string
1540 values:
1541 description: values
1542 is an array of string
1543 values. If the operator
1544 is In or NotIn, the
1545 values array must
1546 be non-empty. If the
1547 operator is Exists
1548 or DoesNotExist, the
1549 values array must
1550 be empty. This array
1551 is replaced during
1552 a strategic merge
1553 patch.
1554 items:
1555 type: string
1556 type: array
1557 required:
1558 - key
1559 - operator
1560 type: object
1561 type: array
1562 matchLabels:
1563 additionalProperties:
1564 type: string
1565 description: matchLabels is
1566 a map of {key,value} pairs.
1567 A single {key,value} in
1568 the matchLabels map is equivalent
1569 to an element of matchExpressions,
1570 whose key field is "key",
1571 the operator is "In", and
1572 the values array contains
1573 only "value". The requirements
1574 are ANDed.
1575 type: object
1576 type: object
1577 namespaces:
1578 description: namespaces specifies
1579 which namespaces the labelSelector
1580 applies to (matches against);
1581 null or empty list means "this
1582 pod's namespace"
1583 items:
1584 type: string
1585 type: array
1586 topologyKey:
1587 description: This pod should be
1588 co-located (affinity) or not
1589 co-located (anti-affinity) with
1590 the pods matching the labelSelector
1591 in the specified namespaces,
1592 where co-located is defined
1593 as running on a node whose value
1594 of the label with key topologyKey
1595 matches that of any node on
1596 which any of the selected pods
1597 is running. Empty topologyKey
1598 is not allowed.
1599 type: string
1600 required:
1601 - topologyKey
1602 type: object
1603 weight:
1604 description: weight associated with
1605 matching the corresponding podAffinityTerm,
1606 in the range 1-100.
1607 format: int32
1608 type: integer
1609 required:
1610 - podAffinityTerm
1611 - weight
1612 type: object
1613 type: array
1614 requiredDuringSchedulingIgnoredDuringExecution:
1615 description: If the affinity requirements
1616 specified by this field are not met at
1617 scheduling time, the pod will not be scheduled
1618 onto the node. If the affinity requirements
1619 specified by this field cease to be met
1620 at some point during pod execution (e.g.
1621 due to a pod label update), the system
1622 may or may not try to eventually evict
1623 the pod from its node. When there are
1624 multiple elements, the lists of nodes
1625 corresponding to each podAffinityTerm
1626 are intersected, i.e. all terms must be
1627 satisfied.
1628 items:
1629 description: Defines a set of pods (namely
1630 those matching the labelSelector relative
1631 to the given namespace(s)) that this
1632 pod should be co-located (affinity)
1633 or not co-located (anti-affinity) with,
1634 where co-located is defined as running
1635 on a node whose value of the label with
1636 key <topologyKey> matches that of any
1637 node on which a pod of the set of pods
1638 is running
1639 properties:
1640 labelSelector:
1641 description: A label query over a
1642 set of resources, in this case pods.
1643 properties:
1644 matchExpressions:
1645 description: matchExpressions
1646 is a list of label selector
1647 requirements. The requirements
1648 are ANDed.
1649 items:
1650 description: A label selector
1651 requirement is a selector
1652 that contains values, a key,
1653 and an operator that relates
1654 the key and values.
1655 properties:
1656 key:
1657 description: key is the
1658 label key that the selector
1659 applies to.
1660 type: string
1661 operator:
1662 description: operator represents
1663 a key's relationship to
1664 a set of values. Valid
1665 operators are In, NotIn,
1666 Exists and DoesNotExist.
1667 type: string
1668 values:
1669 description: values is an
1670 array of string values.
1671 If the operator is In
1672 or NotIn, the values array
1673 must be non-empty. If
1674 the operator is Exists
1675 or DoesNotExist, the values
1676 array must be empty. This
1677 array is replaced during
1678 a strategic merge patch.
1679 items:
1680 type: string
1681 type: array
1682 required:
1683 - key
1684 - operator
1685 type: object
1686 type: array
1687 matchLabels:
1688 additionalProperties:
1689 type: string
1690 description: matchLabels is a
1691 map of {key,value} pairs. A
1692 single {key,value} in the matchLabels
1693 map is equivalent to an element
1694 of matchExpressions, whose key
1695 field is "key", the operator
1696 is "In", and the values array
1697 contains only "value". The requirements
1698 are ANDed.
1699 type: object
1700 type: object
1701 namespaces:
1702 description: namespaces specifies
1703 which namespaces the labelSelector
1704 applies to (matches against); null
1705 or empty list means "this pod's
1706 namespace"
1707 items:
1708 type: string
1709 type: array
1710 topologyKey:
1711 description: This pod should be co-located
1712 (affinity) or not co-located (anti-affinity)
1713 with the pods matching the labelSelector
1714 in the specified namespaces, where
1715 co-located is defined as running
1716 on a node whose value of the label
1717 with key topologyKey matches that
1718 of any node on which any of the
1719 selected pods is running. Empty
1720 topologyKey is not allowed.
1721 type: string
1722 required:
1723 - topologyKey
1724 type: object
1725 type: array
1726 type: object
1727 podAntiAffinity:
1728 description: Describes pod anti-affinity scheduling
1729 rules (e.g. avoid putting this pod in the
1730 same node, zone, etc. as some other pod(s)).
1731 properties:
1732 preferredDuringSchedulingIgnoredDuringExecution:
1733 description: The scheduler will prefer to
1734 schedule pods to nodes that satisfy the
1735 anti-affinity expressions specified by
1736 this field, but it may choose a node that
1737 violates one or more of the expressions.
1738 The node that is most preferred is the
1739 one with the greatest sum of weights,
1740 i.e. for each node that meets all of the
1741 scheduling requirements (resource request,
1742 requiredDuringScheduling anti-affinity
1743 expressions, etc.), compute a sum by iterating
1744 through the elements of this field and
1745 adding "weight" to the sum if the node
1746 has pods which matches the corresponding
1747 podAffinityTerm; the node(s) with the
1748 highest sum are the most preferred.
1749 items:
1750 description: The weights of all of the
1751 matched WeightedPodAffinityTerm fields
1752 are added per-node to find the most
1753 preferred node(s)
1754 properties:
1755 podAffinityTerm:
1756 description: Required. A pod affinity
1757 term, associated with the corresponding
1758 weight.
1759 properties:
1760 labelSelector:
1761 description: A label query over
1762 a set of resources, in this
1763 case pods.
1764 properties:
1765 matchExpressions:
1766 description: matchExpressions
1767 is a list of label selector
1768 requirements. The requirements
1769 are ANDed.
1770 items:
1771 description: A label selector
1772 requirement is a selector
1773 that contains values,
1774 a key, and an operator
1775 that relates the key and
1776 values.
1777 properties:
1778 key:
1779 description: key is
1780 the label key that
1781 the selector applies
1782 to.
1783 type: string
1784 operator:
1785 description: operator
1786 represents a key's
1787 relationship to a
1788 set of values. Valid
1789 operators are In,
1790 NotIn, Exists and
1791 DoesNotExist.
1792 type: string
1793 values:
1794 description: values
1795 is an array of string
1796 values. If the operator
1797 is In or NotIn, the
1798 values array must
1799 be non-empty. If the
1800 operator is Exists
1801 or DoesNotExist, the
1802 values array must
1803 be empty. This array
1804 is replaced during
1805 a strategic merge
1806 patch.
1807 items:
1808 type: string
1809 type: array
1810 required:
1811 - key
1812 - operator
1813 type: object
1814 type: array
1815 matchLabels:
1816 additionalProperties:
1817 type: string
1818 description: matchLabels is
1819 a map of {key,value} pairs.
1820 A single {key,value} in
1821 the matchLabels map is equivalent
1822 to an element of matchExpressions,
1823 whose key field is "key",
1824 the operator is "In", and
1825 the values array contains
1826 only "value". The requirements
1827 are ANDed.
1828 type: object
1829 type: object
1830 namespaces:
1831 description: namespaces specifies
1832 which namespaces the labelSelector
1833 applies to (matches against);
1834 null or empty list means "this
1835 pod's namespace"
1836 items:
1837 type: string
1838 type: array
1839 topologyKey:
1840 description: This pod should be
1841 co-located (affinity) or not
1842 co-located (anti-affinity) with
1843 the pods matching the labelSelector
1844 in the specified namespaces,
1845 where co-located is defined
1846 as running on a node whose value
1847 of the label with key topologyKey
1848 matches that of any node on
1849 which any of the selected pods
1850 is running. Empty topologyKey
1851 is not allowed.
1852 type: string
1853 required:
1854 - topologyKey
1855 type: object
1856 weight:
1857 description: weight associated with
1858 matching the corresponding podAffinityTerm,
1859 in the range 1-100.
1860 format: int32
1861 type: integer
1862 required:
1863 - podAffinityTerm
1864 - weight
1865 type: object
1866 type: array
1867 requiredDuringSchedulingIgnoredDuringExecution:
1868 description: If the anti-affinity requirements
1869 specified by this field are not met at
1870 scheduling time, the pod will not be scheduled
1871 onto the node. If the anti-affinity requirements
1872 specified by this field cease to be met
1873 at some point during pod execution (e.g.
1874 due to a pod label update), the system
1875 may or may not try to eventually evict
1876 the pod from its node. When there are
1877 multiple elements, the lists of nodes
1878 corresponding to each podAffinityTerm
1879 are intersected, i.e. all terms must be
1880 satisfied.
1881 items:
1882 description: Defines a set of pods (namely
1883 those matching the labelSelector relative
1884 to the given namespace(s)) that this
1885 pod should be co-located (affinity)
1886 or not co-located (anti-affinity) with,
1887 where co-located is defined as running
1888 on a node whose value of the label with
1889 key <topologyKey> matches that of any
1890 node on which a pod of the set of pods
1891 is running
1892 properties:
1893 labelSelector:
1894 description: A label query over a
1895 set of resources, in this case pods.
1896 properties:
1897 matchExpressions:
1898 description: matchExpressions
1899 is a list of label selector
1900 requirements. The requirements
1901 are ANDed.
1902 items:
1903 description: A label selector
1904 requirement is a selector
1905 that contains values, a key,
1906 and an operator that relates
1907 the key and values.
1908 properties:
1909 key:
1910 description: key is the
1911 label key that the selector
1912 applies to.
1913 type: string
1914 operator:
1915 description: operator represents
1916 a key's relationship to
1917 a set of values. Valid
1918 operators are In, NotIn,
1919 Exists and DoesNotExist.
1920 type: string
1921 values:
1922 description: values is an
1923 array of string values.
1924 If the operator is In
1925 or NotIn, the values array
1926 must be non-empty. If
1927 the operator is Exists
1928 or DoesNotExist, the values
1929 array must be empty. This
1930 array is replaced during
1931 a strategic merge patch.
1932 items:
1933 type: string
1934 type: array
1935 required:
1936 - key
1937 - operator
1938 type: object
1939 type: array
1940 matchLabels:
1941 additionalProperties:
1942 type: string
1943 description: matchLabels is a
1944 map of {key,value} pairs. A
1945 single {key,value} in the matchLabels
1946 map is equivalent to an element
1947 of matchExpressions, whose key
1948 field is "key", the operator
1949 is "In", and the values array
1950 contains only "value". The requirements
1951 are ANDed.
1952 type: object
1953 type: object
1954 namespaces:
1955 description: namespaces specifies
1956 which namespaces the labelSelector
1957 applies to (matches against); null
1958 or empty list means "this pod's
1959 namespace"
1960 items:
1961 type: string
1962 type: array
1963 topologyKey:
1964 description: This pod should be co-located
1965 (affinity) or not co-located (anti-affinity)
1966 with the pods matching the labelSelector
1967 in the specified namespaces, where
1968 co-located is defined as running
1969 on a node whose value of the label
1970 with key topologyKey matches that
1971 of any node on which any of the
1972 selected pods is running. Empty
1973 topologyKey is not allowed.
1974 type: string
1975 required:
1976 - topologyKey
1977 type: object
1978 type: array
1979 type: object
1980 type: object
1981 nodeSelector:
1982 additionalProperties:
1983 type: string
1984 description: 'NodeSelector is a selector which must
1985 be true for the pod to fit on a node. Selector
1986 which must match a node''s labels for the pod
1987 to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
1988 type: object
1989 tolerations:
1990 description: If specified, the pod's tolerations.
1991 items:
1992 description: The pod this Toleration is attached
1993 to tolerates any taint that matches the triple
1994 <key,value,effect> using the matching operator
1995 <operator>.
1996 properties:
1997 effect:
1998 description: Effect indicates the taint effect
1999 to match. Empty means match all taint effects.
2000 When specified, allowed values are NoSchedule,
2001 PreferNoSchedule and NoExecute.
2002 type: string
2003 key:
2004 description: Key is the taint key that the
2005 toleration applies to. Empty means match
2006 all taint keys. If the key is empty, operator
2007 must be Exists; this combination means to
2008 match all values and all keys.
2009 type: string
2010 operator:
2011 description: Operator represents a key's relationship
2012 to the value. Valid operators are Exists
2013 and Equal. Defaults to Equal. Exists is
2014 equivalent to wildcard for value, so that
2015 a pod can tolerate all taints of a particular
2016 category.
2017 type: string
2018 tolerationSeconds:
2019 description: TolerationSeconds represents
2020 the period of time the toleration (which
2021 must be of effect NoExecute, otherwise this
2022 field is ignored) tolerates the taint. By
2023 default, it is not set, which means tolerate
2024 the taint forever (do not evict). Zero and
2025 negative values will be treated as 0 (evict
2026 immediately) by the system.
2027 format: int64
2028 type: integer
2029 value:
2030 description: Value is the taint value the
2031 toleration matches to. If the operator is
2032 Exists, the value should be empty, otherwise
2033 just a regular string.
2034 type: string
2035 type: object
2036 type: array
2037 type: object
2038 type: object
2039 serviceType:
2040 description: Optional service type for Kubernetes solver
2041 service
2042 type: string
2043 type: object
2044 type: object
2045 selector:
2046 description: Selector selects a set of DNSNames on the Certificate
2047 resource that should be solved using this challenge solver.
2048 properties:
2049 dnsNames:
2050 description: List of DNSNames that this solver will be used
2051 to solve. If specified and a match is found, a dnsNames selector
2052 will take precedence over a dnsZones selector. If multiple
2053 solvers match with the same dnsNames value, the solver with
2054 the most matching labels in matchLabels will be selected.
2055 If neither has more matches, the solver defined earlier in
2056 the list will be selected.
2057 items:
2058 type: string
2059 type: array
2060 dnsZones:
2061 description: List of DNSZones that this solver will be used
2062 to solve. The most specific DNS zone match specified here
2063 will take precedence over other DNS zone matches, so a solver
2064 specifying sys.example.com will be selected over one specifying
2065 example.com for the domain www.sys.example.com. If multiple
2066 solvers match with the same dnsZones value, the solver with
2067 the most matching labels in matchLabels will be selected.
2068 If neither has more matches, the solver defined earlier in
2069 the list will be selected.
2070 items:
2071 type: string
2072 type: array
2073 matchLabels:
2074 additionalProperties:
2075 type: string
2076 description: A label selector that is used to refine the set
2077 of certificate's that this challenge solver will apply to.
2078 type: object
2079 type: object
2080 type: object
2081 token:
2082 description: Token is the ACME challenge token for this challenge.
2083 type: string
2084 type:
2085 description: Type is the type of ACME challenge this resource represents,
2086 e.g. "dns01" or "http01"
2087 type: string
2088 url:
2089 description: URL is the URL of the ACME Challenge resource for this
2090 challenge. This can be used to lookup details about the status of
2091 this challenge.
2092 type: string
2093 wildcard:
2094 description: Wildcard will be true if this challenge is for a wildcard
2095 identifier, for example '*.example.com'
2096 type: boolean
2097 required:
2098 - authzURL
2099 - dnsName
2100 - issuerRef
2101 - key
2102 - token
2103 - type
2104 - url
2105 type: object
2106 status:
2107 properties:
2108 presented:
2109 description: Presented will be set to true if the challenge values for
2110 this challenge are currently 'presented'. This *does not* imply the
2111 self check is passing. Only that the values have been 'submitted'
2112 for the appropriate challenge mechanism (i.e. the DNS01 TXT record
2113 has been presented, or the HTTP01 configuration has been configured).
2114 type: boolean
2115 processing:
2116 description: Processing is used to denote whether this challenge should
2117 be processed or not. This field will only be set to true by the 'scheduling'
2118 component. It will only be set to false by the 'challenges' controller,
2119 after the challenge has reached a final state or timed out. If this
2120 field is set to false, the challenge controller will not take any
2121 more action.
2122 type: boolean
2123 reason:
2124 description: Reason contains human readable information on why the Challenge
2125 is in the current state.
2126 type: string
2127 state:
2128 description: State contains the current 'state' of the challenge. If
2129 not set, the state of the challenge is unknown.
2130 enum:
2131 - valid
2132 - ready
2133 - pending
2134 - processing
2135 - invalid
2136 - expired
2137 - errored
2138 type: string
2139 type: object
2140 required:
2141 - metadata
2142 type: object
2143 versions:
2144 - name: v1alpha2
2145 served: true
2146 storage: true
2147 - name: v1alpha3
2148 served: true
2149 storage: false
2150---
2151apiVersion: apiextensions.k8s.io/v1beta1
2152kind: CustomResourceDefinition
2153metadata:
2154 annotations:
2155 cert-manager.io/inject-ca-from-secret: kube-apps/cert-manager-webhook-tls
2156 name: clusterissuers.cert-manager.io
2157spec:
2158 additionalPrinterColumns:
2159 - JSONPath: .status.conditions[?(@.type=="Ready")].status
2160 name: Ready
2161 type: string
2162 - JSONPath: .status.conditions[?(@.type=="Ready")].message
2163 name: Status
2164 priority: 1
2165 type: string
2166 - JSONPath: .metadata.creationTimestamp
2167 description: CreationTimestamp is a timestamp representing the server time when
2168 this object was created. It is not guaranteed to be set in happens-before order
2169 across separate operations. Clients may not set this value. It is represented
2170 in RFC3339 form and is in UTC.
2171 name: Age
2172 type: date
2173 conversion:
2174 strategy: Webhook
2175 webhookClientConfig:
2176 service:
2177 name: cert-manager-webhook
2178 namespace: kube-apps
2179 path: /convert
2180 group: cert-manager.io
2181 names:
2182 kind: ClusterIssuer
2183 listKind: ClusterIssuerList
2184 plural: clusterissuers
2185 singular: clusterissuer
2186 preserveUnknownFields: false
2187 scope: Cluster
2188 subresources:
2189 status: {}
2190 validation:
2191 openAPIV3Schema:
2192 properties:
2193 apiVersion:
2194 description: 'APIVersion defines the versioned schema of this representation
2195 of an object. Servers should convert recognized schemas to the latest
2196 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2197 type: string
2198 kind:
2199 description: 'Kind is a string value representing the REST resource this
2200 object represents. Servers may infer this from the endpoint the client
2201 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2202 type: string
2203 metadata:
2204 type: object
2205 spec:
2206 description: IssuerSpec is the specification of an Issuer. This includes
2207 any configuration required for the issuer.
2208 properties:
2209 acme:
2210 description: ACMEIssuer contains the specification for an ACME issuer
2211 properties:
2212 email:
2213 description: Email is the email for this account
2214 type: string
2215 externalAccountBinding:
2216 description: ExternalAccountBinding is a reference to a CA external
2217 account of the ACME server.
2218 properties:
2219 keyAlgorithm:
2220 description: keyAlgorithm is the MAC key algorithm that the
2221 key is used for. Valid values are "HS256", "HS384" and "HS512".
2222 enum:
2223 - HS256
2224 - HS384
2225 - HS512
2226 type: string
2227 keyID:
2228 description: keyID is the ID of the CA key that the External
2229 Account is bound to.
2230 type: string
2231 keySecretRef:
2232 description: keySecretRef is a Secret Key Selector referencing
2233 a data item in a Kubernetes Secret which holds the symmetric
2234 MAC key of the External Account Binding. The `key` is the
2235 index string that is paired with the key data in the Secret
2236 and should not be confused with the key data itself, or indeed
2237 with the External Account Binding keyID above. The secret
2238 key stored in the Secret **must** be un-padded, base64 URL
2239 encoded data.
2240 properties:
2241 key:
2242 description: The key of the secret to select from. Must
2243 be a valid secret key.
2244 type: string
2245 name:
2246 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
2247 TODO: Add other useful fields. apiVersion, kind, uid?'
2248 type: string
2249 required:
2250 - name
2251 type: object
2252 required:
2253 - keyAlgorithm
2254 - keyID
2255 - keySecretRef
2256 type: object
2257 privateKeySecretRef:
2258 description: PrivateKey is the name of a secret containing the private
2259 key for this user account.
2260 properties:
2261 key:
2262 description: The key of the secret to select from. Must be a
2263 valid secret key.
2264 type: string
2265 name:
2266 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
2267 TODO: Add other useful fields. apiVersion, kind, uid?'
2268 type: string
2269 required:
2270 - name
2271 type: object
2272 server:
2273 description: Server is the ACME server URL
2274 type: string
2275 skipTLSVerify:
2276 description: If true, skip verifying the ACME server TLS certificate
2277 type: boolean
2278 solvers:
2279 description: Solvers is a list of challenge solvers that will be
2280 used to solve ACME challenges for the matching domains.
2281 items:
2282 properties:
2283 dns01:
2284 properties:
2285 acmedns:
2286 description: ACMEIssuerDNS01ProviderAcmeDNS is a structure
2287 containing the configuration for ACME-DNS servers
2288 properties:
2289 accountSecretRef:
2290 properties:
2291 key:
2292 description: The key of the secret to select from.
2293 Must be a valid secret key.
2294 type: string
2295 name:
2296 description: 'Name of the referent. More info:
2297 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
2298 TODO: Add other useful fields. apiVersion, kind,
2299 uid?'
2300 type: string
2301 required:
2302 - name
2303 type: object
2304 host:
2305 type: string
2306 required:
2307 - accountSecretRef
2308 - host
2309 type: object
2310 akamai:
2311 description: ACMEIssuerDNS01ProviderAkamai is a structure
2312 containing the DNS configuration for Akamai DNS—Zone
2313 Record Management API
2314 properties:
2315 accessTokenSecretRef:
2316 properties:
2317 key:
2318 description: The key of the secret to select from.
2319 Must be a valid secret key.
2320 type: string
2321 name:
2322 description: 'Name of the referent. More info:
2323 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
2324 TODO: Add other useful fields. apiVersion, kind,
2325 uid?'
2326 type: string
2327 required:
2328 - name
2329 type: object
2330 clientSecretSecretRef:
2331 properties:
2332 key:
2333 description: The key of the secret to select from.
2334 Must be a valid secret key.
2335 type: string
2336 name:
2337 description: 'Name of the referent. More info:
2338 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
2339 TODO: Add other useful fields. apiVersion, kind,
2340 uid?'
2341 type: string
2342 required:
2343 - name
2344 type: object
2345 clientTokenSecretRef:
2346 properties:
2347 key:
2348 description: The key of the secret to select from.
2349 Must be a valid secret key.
2350 type: string
2351 name:
2352 description: 'Name of the referent. More info:
2353 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
2354 TODO: Add other useful fields. apiVersion, kind,
2355 uid?'
2356 type: string
2357 required:
2358 - name
2359 type: object
2360 serviceConsumerDomain:
2361 type: string
2362 required:
2363 - accessTokenSecretRef
2364 - clientSecretSecretRef
2365 - clientTokenSecretRef
2366 - serviceConsumerDomain
2367 type: object
2368 azuredns:
2369 description: ACMEIssuerDNS01ProviderAzureDNS is a structure
2370 containing the configuration for Azure DNS
2371 properties:
2372 clientID:
2373 type: string
2374 clientSecretSecretRef:
2375 properties:
2376 key:
2377 description: The key of the secret to select from.
2378 Must be a valid secret key.
2379 type: string
2380 name:
2381 description: 'Name of the referent. More info:
2382 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
2383 TODO: Add other useful fields. apiVersion, kind,
2384 uid?'
2385 type: string
2386 required:
2387 - name
2388 type: object
2389 environment:
2390 enum:
2391 - AzurePublicCloud
2392 - AzureChinaCloud
2393 - AzureGermanCloud
2394 - AzureUSGovernmentCloud
2395 type: string
2396 hostedZoneName:
2397 type: string
2398 resourceGroupName:
2399 type: string
2400 subscriptionID:
2401 type: string
2402 tenantID:
2403 type: string
2404 required:
2405 - clientID
2406 - clientSecretSecretRef
2407 - resourceGroupName
2408 - subscriptionID
2409 - tenantID
2410 type: object
2411 clouddns:
2412 description: ACMEIssuerDNS01ProviderCloudDNS is a structure
2413 containing the DNS configuration for Google Cloud DNS
2414 properties:
2415 project:
2416 type: string
2417 serviceAccountSecretRef:
2418 properties:
2419 key:
2420 description: The key of the secret to select from.
2421 Must be a valid secret key.
2422 type: string
2423 name:
2424 description: 'Name of the referent. More info:
2425 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
2426 TODO: Add other useful fields. apiVersion, kind,
2427 uid?'
2428 type: string
2429 required:
2430 - name
2431 type: object
2432 required:
2433 - project
2434 type: object
2435 cloudflare:
2436 description: ACMEIssuerDNS01ProviderCloudflare is a structure
2437 containing the DNS configuration for Cloudflare
2438 properties:
2439 apiKeySecretRef:
2440 properties:
2441 key:
2442 description: The key of the secret to select from.
2443 Must be a valid secret key.
2444 type: string
2445 name:
2446 description: 'Name of the referent. More info:
2447 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
2448 TODO: Add other useful fields. apiVersion, kind,
2449 uid?'
2450 type: string
2451 required:
2452 - name
2453 type: object
2454 apiTokenSecretRef:
2455 properties:
2456 key:
2457 description: The key of the secret to select from.
2458 Must be a valid secret key.
2459 type: string
2460 name:
2461 description: 'Name of the referent. More info:
2462 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
2463 TODO: Add other useful fields. apiVersion, kind,
2464 uid?'
2465 type: string
2466 required:
2467 - name
2468 type: object
2469 email:
2470 type: string
2471 required:
2472 - email
2473 type: object
2474 cnameStrategy:
2475 description: CNAMEStrategy configures how the DNS01 provider
2476 should handle CNAME records when found in DNS zones.
2477 enum:
2478 - None
2479 - Follow
2480 type: string
2481 digitalocean:
2482 description: ACMEIssuerDNS01ProviderDigitalOcean is a
2483 structure containing the DNS configuration for DigitalOcean
2484 Domains
2485 properties:
2486 tokenSecretRef:
2487 properties:
2488 key:
2489 description: The key of the secret to select from.
2490 Must be a valid secret key.
2491 type: string
2492 name:
2493 description: 'Name of the referent. More info:
2494 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
2495 TODO: Add other useful fields. apiVersion, kind,
2496 uid?'
2497 type: string
2498 required:
2499 - name
2500 type: object
2501 required:
2502 - tokenSecretRef
2503 type: object
2504 rfc2136:
2505 description: ACMEIssuerDNS01ProviderRFC2136 is a structure
2506 containing the configuration for RFC2136 DNS
2507 properties:
2508 nameserver:
2509 description: 'The IP address of the DNS supporting
2510 RFC2136. Required. Note: FQDN is not a valid value,
2511 only IP.'
2512 type: string
2513 tsigAlgorithm:
2514 description: 'The TSIG Algorithm configured in the
2515 DNS supporting RFC2136. Used only when ``tsigSecretSecretRef``
2516 and ``tsigKeyName`` are defined. Supported values
2517 are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``,
2518 ``HMACSHA256`` or ``HMACSHA512``.'
2519 type: string
2520 tsigKeyName:
2521 description: The TSIG Key name configured in the DNS.
2522 If ``tsigSecretSecretRef`` is defined, this field
2523 is required.
2524 type: string
2525 tsigSecretSecretRef:
2526 description: The name of the secret containing the
2527 TSIG value. If ``tsigKeyName`` is defined, this
2528 field is required.
2529 properties:
2530 key:
2531 description: The key of the secret to select from.
2532 Must be a valid secret key.
2533 type: string
2534 name:
2535 description: 'Name of the referent. More info:
2536 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
2537 TODO: Add other useful fields. apiVersion, kind,
2538 uid?'
2539 type: string
2540 required:
2541 - name
2542 type: object
2543 required:
2544 - nameserver
2545 type: object
2546 route53:
2547 description: ACMEIssuerDNS01ProviderRoute53 is a structure
2548 containing the Route 53 configuration for AWS
2549 properties:
2550 accessKeyID:
2551 description: 'The AccessKeyID is used for authentication.
2552 If not set we fall-back to using env vars, shared
2553 credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
2554 type: string
2555 hostedZoneID:
2556 description: If set, the provider will manage only
2557 this zone in Route53 and will not do an lookup using
2558 the route53:ListHostedZonesByName api call.
2559 type: string
2560 region:
2561 description: Always set the region when using AccessKeyID
2562 and SecretAccessKey
2563 type: string
2564 role:
2565 description: Role is a Role ARN which the Route53
2566 provider will assume using either the explicit credentials
2567 AccessKeyID/SecretAccessKey or the inferred credentials
2568 from environment variables, shared credentials file
2569 or AWS Instance metadata
2570 type: string
2571 secretAccessKeySecretRef:
2572 description: The SecretAccessKey is used for authentication.
2573 If not set we fall-back to using env vars, shared
2574 credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
2575 properties:
2576 key:
2577 description: The key of the secret to select from.
2578 Must be a valid secret key.
2579 type: string
2580 name:
2581 description: 'Name of the referent. More info:
2582 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
2583 TODO: Add other useful fields. apiVersion, kind,
2584 uid?'
2585 type: string
2586 required:
2587 - name
2588 type: object
2589 required:
2590 - region
2591 type: object
2592 webhook:
2593 description: ACMEIssuerDNS01ProviderWebhook specifies
2594 configuration for a webhook DNS01 provider, including
2595 where to POST ChallengePayload resources.
2596 properties:
2597 config:
2598 description: Additional configuration that should
2599 be passed to the webhook apiserver when challenges
2600 are processed. This can contain arbitrary JSON data.
2601 Secret values should not be specified in this stanza.
2602 If secret values are needed (e.g. credentials for
2603 a DNS service), you should use a SecretKeySelector
2604 to reference a Secret resource. For details on the
2605 schema of this field, consult the webhook provider
2606 implementation's documentation.
2607 x-kubernetes-preserve-unknown-fields: true
2608 groupName:
2609 description: The API group name that should be used
2610 when POSTing ChallengePayload resources to the webhook
2611 apiserver. This should be the same as the GroupName
2612 specified in the webhook provider implementation.
2613 type: string
2614 solverName:
2615 description: The name of the solver to use, as defined
2616 in the webhook provider implementation. This will
2617 typically be the name of the provider, e.g. 'cloudflare'.
2618 type: string
2619 required:
2620 - groupName
2621 - solverName
2622 type: object
2623 type: object
2624 http01:
2625 description: ACMEChallengeSolverHTTP01 contains configuration
2626 detailing how to solve HTTP01 challenges within a Kubernetes
2627 cluster. Typically this is accomplished through creating
2628 'routes' of some description that configure ingress controllers
2629 to direct traffic to 'solver pods', which are responsible
2630 for responding to the ACME server's HTTP requests.
2631 properties:
2632 ingress:
2633 description: The ingress based HTTP01 challenge solver
2634 will solve challenges by creating or modifying Ingress
2635 resources in order to route requests for '/.well-known/acme-challenge/XYZ'
2636 to 'challenge solver' pods that are provisioned by cert-manager
2637 for each Challenge to be completed.
2638 properties:
2639 class:
2640 description: The ingress class to use when creating
2641 Ingress resources to solve ACME challenges that
2642 use this challenge solver. Only one of 'class' or
2643 'name' may be specified.
2644 type: string
2645 name:
2646 description: The name of the ingress resource that
2647 should have ACME challenge solving routes inserted
2648 into it in order to solve HTTP01 challenges. This
2649 is typically used in conjunction with ingress controllers
2650 like ingress-gce, which maintains a 1:1 mapping
2651 between external IPs and ingress resources.
2652 type: string
2653 podTemplate:
2654 description: Optional pod template used to configure
2655 the ACME challenge solver pods used for HTTP01 challenges
2656 properties:
2657 metadata:
2658 description: ObjectMeta overrides for the pod
2659 used to solve HTTP01 challenges. Only the 'labels'
2660 and 'annotations' fields may be set. If labels
2661 or annotations overlap with in-built values,
2662 the values here will override the in-built values.
2663 properties:
2664 annotations:
2665 additionalProperties:
2666 type: string
2667 description: Annotations that should be added
2668 to the create ACME HTTP01 solver pods.
2669 type: object
2670 labels:
2671 additionalProperties:
2672 type: string
2673 description: Labels that should be added to
2674 the created ACME HTTP01 solver pods.
2675 type: object
2676 type: object
2677 spec:
2678 description: PodSpec defines overrides for the
2679 HTTP01 challenge solver pod. Only the 'nodeSelector',
2680 'affinity' and 'tolerations' fields are supported
2681 currently. All other fields will be ignored.
2682 properties:
2683 affinity:
2684 description: If specified, the pod's scheduling
2685 constraints
2686 properties:
2687 nodeAffinity:
2688 description: Describes node affinity scheduling
2689 rules for the pod.
2690 properties:
2691 preferredDuringSchedulingIgnoredDuringExecution:
2692 description: The scheduler will prefer
2693 to schedule pods to nodes that satisfy
2694 the affinity expressions specified
2695 by this field, but it may choose
2696 a node that violates one or more
2697 of the expressions. The node that
2698 is most preferred is the one with
2699 the greatest sum of weights, i.e.
2700 for each node that meets all of
2701 the scheduling requirements (resource
2702 request, requiredDuringScheduling
2703 affinity expressions, etc.), compute
2704 a sum by iterating through the elements
2705 of this field and adding "weight"
2706 to the sum if the node matches the
2707 corresponding matchExpressions;
2708 the node(s) with the highest sum
2709 are the most preferred.
2710 items:
2711 description: An empty preferred
2712 scheduling term matches all objects
2713 with implicit weight 0 (i.e. it's
2714 a no-op). A null preferred scheduling
2715 term matches no objects (i.e.
2716 is also a no-op).
2717 properties:
2718 preference:
2719 description: A node selector
2720 term, associated with the
2721 corresponding weight.
2722 properties:
2723 matchExpressions:
2724 description: A list of node
2725 selector requirements
2726 by node's labels.
2727 items:
2728 description: A node selector
2729 requirement is a selector
2730 that contains values,
2731 a key, and an operator
2732 that relates the key
2733 and values.
2734 properties:
2735 key:
2736 description: The label
2737 key that the selector
2738 applies to.
2739 type: string
2740 operator:
2741 description: Represents
2742 a key's relationship
2743 to a set of values.
2744 Valid operators
2745 are In, NotIn, Exists,
2746 DoesNotExist. Gt,
2747 and Lt.
2748 type: string
2749 values:
2750 description: An array
2751 of string values.
2752 If the operator
2753 is In or NotIn,
2754 the values array
2755 must be non-empty.
2756 If the operator
2757 is Exists or DoesNotExist,
2758 the values array
2759 must be empty. If
2760 the operator is
2761 Gt or Lt, the values
2762 array must have
2763 a single element,
2764 which will be interpreted
2765 as an integer. This
2766 array is replaced
2767 during a strategic
2768 merge patch.
2769 items:
2770 type: string
2771 type: array
2772 required:
2773 - key
2774 - operator
2775 type: object
2776 type: array
2777 matchFields:
2778 description: A list of node
2779 selector requirements
2780 by node's fields.
2781 items:
2782 description: A node selector
2783 requirement is a selector
2784 that contains values,
2785 a key, and an operator
2786 that relates the key
2787 and values.
2788 properties:
2789 key:
2790 description: The label
2791 key that the selector
2792 applies to.
2793 type: string
2794 operator:
2795 description: Represents
2796 a key's relationship
2797 to a set of values.
2798 Valid operators
2799 are In, NotIn, Exists,
2800 DoesNotExist. Gt,
2801 and Lt.
2802 type: string
2803 values:
2804 description: An array
2805 of string values.
2806 If the operator
2807 is In or NotIn,
2808 the values array
2809 must be non-empty.
2810 If the operator
2811 is Exists or DoesNotExist,
2812 the values array
2813 must be empty. If
2814 the operator is
2815 Gt or Lt, the values
2816 array must have
2817 a single element,
2818 which will be interpreted
2819 as an integer. This
2820 array is replaced
2821 during a strategic
2822 merge patch.
2823 items:
2824 type: string
2825 type: array
2826 required:
2827 - key
2828 - operator
2829 type: object
2830 type: array
2831 type: object
2832 weight:
2833 description: Weight associated
2834 with matching the corresponding
2835 nodeSelectorTerm, in the range
2836 1-100.
2837 format: int32
2838 type: integer
2839 required:
2840 - preference
2841 - weight
2842 type: object
2843 type: array
2844 requiredDuringSchedulingIgnoredDuringExecution:
2845 description: If the affinity requirements
2846 specified by this field are not
2847 met at scheduling time, the pod
2848 will not be scheduled onto the node.
2849 If the affinity requirements specified
2850 by this field cease to be met at
2851 some point during pod execution
2852 (e.g. due to an update), the system
2853 may or may not try to eventually
2854 evict the pod from its node.
2855 properties:
2856 nodeSelectorTerms:
2857 description: Required. A list
2858 of node selector terms. The
2859 terms are ORed.
2860 items:
2861 description: A null or empty
2862 node selector term matches
2863 no objects. The requirements
2864 of them are ANDed. The TopologySelectorTerm
2865 type implements a subset of
2866 the NodeSelectorTerm.
2867 properties:
2868 matchExpressions:
2869 description: A list of node
2870 selector requirements
2871 by node's labels.
2872 items:
2873 description: A node selector
2874 requirement is a selector
2875 that contains values,
2876 a key, and an operator
2877 that relates the key
2878 and values.
2879 properties:
2880 key:
2881 description: The label
2882 key that the selector
2883 applies to.
2884 type: string
2885 operator:
2886 description: Represents
2887 a key's relationship
2888 to a set of values.
2889 Valid operators
2890 are In, NotIn, Exists,
2891 DoesNotExist. Gt,
2892 and Lt.
2893 type: string
2894 values:
2895 description: An array
2896 of string values.
2897 If the operator
2898 is In or NotIn,
2899 the values array
2900 must be non-empty.
2901 If the operator
2902 is Exists or DoesNotExist,
2903 the values array
2904 must be empty. If
2905 the operator is
2906 Gt or Lt, the values
2907 array must have
2908 a single element,
2909 which will be interpreted
2910 as an integer. This
2911 array is replaced
2912 during a strategic
2913 merge patch.
2914 items:
2915 type: string
2916 type: array
2917 required:
2918 - key
2919 - operator
2920 type: object
2921 type: array
2922 matchFields:
2923 description: A list of node
2924 selector requirements
2925 by node's fields.
2926 items:
2927 description: A node selector
2928 requirement is a selector
2929 that contains values,
2930 a key, and an operator
2931 that relates the key
2932 and values.
2933 properties:
2934 key:
2935 description: The label
2936 key that the selector
2937 applies to.
2938 type: string
2939 operator:
2940 description: Represents
2941 a key's relationship
2942 to a set of values.
2943 Valid operators
2944 are In, NotIn, Exists,
2945 DoesNotExist. Gt,
2946 and Lt.
2947 type: string
2948 values:
2949 description: An array
2950 of string values.
2951 If the operator
2952 is In or NotIn,
2953 the values array
2954 must be non-empty.
2955 If the operator
2956 is Exists or DoesNotExist,
2957 the values array
2958 must be empty. If
2959 the operator is
2960 Gt or Lt, the values
2961 array must have
2962 a single element,
2963 which will be interpreted
2964 as an integer. This
2965 array is replaced
2966 during a strategic
2967 merge patch.
2968 items:
2969 type: string
2970 type: array
2971 required:
2972 - key
2973 - operator
2974 type: object
2975 type: array
2976 type: object
2977 type: array
2978 required:
2979 - nodeSelectorTerms
2980 type: object
2981 type: object
2982 podAffinity:
2983 description: Describes pod affinity scheduling
2984 rules (e.g. co-locate this pod in the
2985 same node, zone, etc. as some other
2986 pod(s)).
2987 properties:
2988 preferredDuringSchedulingIgnoredDuringExecution:
2989 description: The scheduler will prefer
2990 to schedule pods to nodes that satisfy
2991 the affinity expressions specified
2992 by this field, but it may choose
2993 a node that violates one or more
2994 of the expressions. The node that
2995 is most preferred is the one with
2996 the greatest sum of weights, i.e.
2997 for each node that meets all of
2998 the scheduling requirements (resource
2999 request, requiredDuringScheduling
3000 affinity expressions, etc.), compute
3001 a sum by iterating through the elements
3002 of this field and adding "weight"
3003 to the sum if the node has pods
3004 which matches the corresponding
3005 podAffinityTerm; the node(s) with
3006 the highest sum are the most preferred.
3007 items:
3008 description: The weights of all
3009 of the matched WeightedPodAffinityTerm
3010 fields are added per-node to find
3011 the most preferred node(s)
3012 properties:
3013 podAffinityTerm:
3014 description: Required. A pod
3015 affinity term, associated
3016 with the corresponding weight.
3017 properties:
3018 labelSelector:
3019 description: A label query
3020 over a set of resources,
3021 in this case pods.
3022 properties:
3023 matchExpressions:
3024 description: matchExpressions
3025 is a list of label
3026 selector requirements.
3027 The requirements are
3028 ANDed.
3029 items:
3030 description: A label
3031 selector requirement
3032 is a selector that
3033 contains values,
3034 a key, and an operator
3035 that relates the
3036 key and values.
3037 properties:
3038 key:
3039 description: key
3040 is the label
3041 key that the
3042 selector applies
3043 to.
3044 type: string
3045 operator:
3046 description: operator
3047 represents a
3048 key's relationship
3049 to a set of
3050 values. Valid
3051 operators are
3052 In, NotIn, Exists
3053 and DoesNotExist.
3054 type: string
3055 values:
3056 description: values
3057 is an array
3058 of string values.
3059 If the operator
3060 is In or NotIn,
3061 the values array
3062 must be non-empty.
3063 If the operator
3064 is Exists or
3065 DoesNotExist,
3066 the values array
3067 must be empty.
3068 This array is
3069 replaced during
3070 a strategic
3071 merge patch.
3072 items:
3073 type: string
3074 type: array
3075 required:
3076 - key
3077 - operator
3078 type: object
3079 type: array
3080 matchLabels:
3081 additionalProperties:
3082 type: string
3083 description: matchLabels
3084 is a map of {key,value}
3085 pairs. A single {key,value}
3086 in the matchLabels
3087 map is equivalent
3088 to an element of matchExpressions,
3089 whose key field is
3090 "key", the operator
3091 is "In", and the values
3092 array contains only
3093 "value". The requirements
3094 are ANDed.
3095 type: object
3096 type: object
3097 namespaces:
3098 description: namespaces
3099 specifies which namespaces
3100 the labelSelector applies
3101 to (matches against);
3102 null or empty list means
3103 "this pod's namespace"
3104 items:
3105 type: string
3106 type: array
3107 topologyKey:
3108 description: This pod should
3109 be co-located (affinity)
3110 or not co-located (anti-affinity)
3111 with the pods matching
3112 the labelSelector in the
3113 specified namespaces,
3114 where co-located is defined
3115 as running on a node whose
3116 value of the label with
3117 key topologyKey matches
3118 that of any node on which
3119 any of the selected pods
3120 is running. Empty topologyKey
3121 is not allowed.
3122 type: string
3123 required:
3124 - topologyKey
3125 type: object
3126 weight:
3127 description: weight associated
3128 with matching the corresponding
3129 podAffinityTerm, in the range
3130 1-100.
3131 format: int32
3132 type: integer
3133 required:
3134 - podAffinityTerm
3135 - weight
3136 type: object
3137 type: array
3138 requiredDuringSchedulingIgnoredDuringExecution:
3139 description: If the affinity requirements
3140 specified by this field are not
3141 met at scheduling time, the pod
3142 will not be scheduled onto the node.
3143 If the affinity requirements specified
3144 by this field cease to be met at
3145 some point during pod execution
3146 (e.g. due to a pod label update),
3147 the system may or may not try to
3148 eventually evict the pod from its
3149 node. When there are multiple elements,
3150 the lists of nodes corresponding
3151 to each podAffinityTerm are intersected,
3152 i.e. all terms must be satisfied.
3153 items:
3154 description: Defines a set of pods
3155 (namely those matching the labelSelector
3156 relative to the given namespace(s))
3157 that this pod should be co-located
3158 (affinity) or not co-located (anti-affinity)
3159 with, where co-located is defined
3160 as running on a node whose value
3161 of the label with key <topologyKey>
3162 matches that of any node on which
3163 a pod of the set of pods is running
3164 properties:
3165 labelSelector:
3166 description: A label query over
3167 a set of resources, in this
3168 case pods.
3169 properties:
3170 matchExpressions:
3171 description: matchExpressions
3172 is a list of label selector
3173 requirements. The requirements
3174 are ANDed.
3175 items:
3176 description: A label selector
3177 requirement is a selector
3178 that contains values,
3179 a key, and an operator
3180 that relates the key
3181 and values.
3182 properties:
3183 key:
3184 description: key is
3185 the label key that
3186 the selector applies
3187 to.
3188 type: string
3189 operator:
3190 description: operator
3191 represents a key's
3192 relationship to
3193 a set of values.
3194 Valid operators
3195 are In, NotIn, Exists
3196 and DoesNotExist.
3197 type: string
3198 values:
3199 description: values
3200 is an array of string
3201 values. If the operator
3202 is In or NotIn,
3203 the values array
3204 must be non-empty.
3205 If the operator
3206 is Exists or DoesNotExist,
3207 the values array
3208 must be empty. This
3209 array is replaced
3210 during a strategic
3211 merge patch.
3212 items:
3213 type: string
3214 type: array
3215 required:
3216 - key
3217 - operator
3218 type: object
3219 type: array
3220 matchLabels:
3221 additionalProperties:
3222 type: string
3223 description: matchLabels
3224 is a map of {key,value}
3225 pairs. A single {key,value}
3226 in the matchLabels map
3227 is equivalent to an element
3228 of matchExpressions, whose
3229 key field is "key", the
3230 operator is "In", and
3231 the values array contains
3232 only "value". The requirements
3233 are ANDed.
3234 type: object
3235 type: object
3236 namespaces:
3237 description: namespaces specifies
3238 which namespaces the labelSelector
3239 applies to (matches against);
3240 null or empty list means "this
3241 pod's namespace"
3242 items:
3243 type: string
3244 type: array
3245 topologyKey:
3246 description: This pod should
3247 be co-located (affinity) or
3248 not co-located (anti-affinity)
3249 with the pods matching the
3250 labelSelector in the specified
3251 namespaces, where co-located
3252 is defined as running on a
3253 node whose value of the label
3254 with key topologyKey matches
3255 that of any node on which
3256 any of the selected pods is
3257 running. Empty topologyKey
3258 is not allowed.
3259 type: string
3260 required:
3261 - topologyKey
3262 type: object
3263 type: array
3264 type: object
3265 podAntiAffinity:
3266 description: Describes pod anti-affinity
3267 scheduling rules (e.g. avoid putting
3268 this pod in the same node, zone, etc.
3269 as some other pod(s)).
3270 properties:
3271 preferredDuringSchedulingIgnoredDuringExecution:
3272 description: The scheduler will prefer
3273 to schedule pods to nodes that satisfy
3274 the anti-affinity expressions specified
3275 by this field, but it may choose
3276 a node that violates one or more
3277 of the expressions. The node that
3278 is most preferred is the one with
3279 the greatest sum of weights, i.e.
3280 for each node that meets all of
3281 the scheduling requirements (resource
3282 request, requiredDuringScheduling
3283 anti-affinity expressions, etc.),
3284 compute a sum by iterating through
3285 the elements of this field and adding
3286 "weight" to the sum if the node
3287 has pods which matches the corresponding
3288 podAffinityTerm; the node(s) with
3289 the highest sum are the most preferred.
3290 items:
3291 description: The weights of all
3292 of the matched WeightedPodAffinityTerm
3293 fields are added per-node to find
3294 the most preferred node(s)
3295 properties:
3296 podAffinityTerm:
3297 description: Required. A pod
3298 affinity term, associated
3299 with the corresponding weight.
3300 properties:
3301 labelSelector:
3302 description: A label query
3303 over a set of resources,
3304 in this case pods.
3305 properties:
3306 matchExpressions:
3307 description: matchExpressions
3308 is a list of label
3309 selector requirements.
3310 The requirements are
3311 ANDed.
3312 items:
3313 description: A label
3314 selector requirement
3315 is a selector that
3316 contains values,
3317 a key, and an operator
3318 that relates the
3319 key and values.
3320 properties:
3321 key:
3322 description: key
3323 is the label
3324 key that the
3325 selector applies
3326 to.
3327 type: string
3328 operator:
3329 description: operator
3330 represents a
3331 key's relationship
3332 to a set of
3333 values. Valid
3334 operators are
3335 In, NotIn, Exists
3336 and DoesNotExist.
3337 type: string
3338 values:
3339 description: values
3340 is an array
3341 of string values.
3342 If the operator
3343 is In or NotIn,
3344 the values array
3345 must be non-empty.
3346 If the operator
3347 is Exists or
3348 DoesNotExist,
3349 the values array
3350 must be empty.
3351 This array is
3352 replaced during
3353 a strategic
3354 merge patch.
3355 items:
3356 type: string
3357 type: array
3358 required:
3359 - key
3360 - operator
3361 type: object
3362 type: array
3363 matchLabels:
3364 additionalProperties:
3365 type: string
3366 description: matchLabels
3367 is a map of {key,value}
3368 pairs. A single {key,value}
3369 in the matchLabels
3370 map is equivalent
3371 to an element of matchExpressions,
3372 whose key field is
3373 "key", the operator
3374 is "In", and the values
3375 array contains only
3376 "value". The requirements
3377 are ANDed.
3378 type: object
3379 type: object
3380 namespaces:
3381 description: namespaces
3382 specifies which namespaces
3383 the labelSelector applies
3384 to (matches against);
3385 null or empty list means
3386 "this pod's namespace"
3387 items:
3388 type: string
3389 type: array
3390 topologyKey:
3391 description: This pod should
3392 be co-located (affinity)
3393 or not co-located (anti-affinity)
3394 with the pods matching
3395 the labelSelector in the
3396 specified namespaces,
3397 where co-located is defined
3398 as running on a node whose
3399 value of the label with
3400 key topologyKey matches
3401 that of any node on which
3402 any of the selected pods
3403 is running. Empty topologyKey
3404 is not allowed.
3405 type: string
3406 required:
3407 - topologyKey
3408 type: object
3409 weight:
3410 description: weight associated
3411 with matching the corresponding
3412 podAffinityTerm, in the range
3413 1-100.
3414 format: int32
3415 type: integer
3416 required:
3417 - podAffinityTerm
3418 - weight
3419 type: object
3420 type: array
3421 requiredDuringSchedulingIgnoredDuringExecution:
3422 description: If the anti-affinity
3423 requirements specified by this field
3424 are not met at scheduling time,
3425 the pod will not be scheduled onto
3426 the node. If the anti-affinity requirements
3427 specified by this field cease to
3428 be met at some point during pod
3429 execution (e.g. due to a pod label
3430 update), the system may or may not
3431 try to eventually evict the pod
3432 from its node. When there are multiple
3433 elements, the lists of nodes corresponding
3434 to each podAffinityTerm are intersected,
3435 i.e. all terms must be satisfied.
3436 items:
3437 description: Defines a set of pods
3438 (namely those matching the labelSelector
3439 relative to the given namespace(s))
3440 that this pod should be co-located
3441 (affinity) or not co-located (anti-affinity)
3442 with, where co-located is defined
3443 as running on a node whose value
3444 of the label with key <topologyKey>
3445 matches that of any node on which
3446 a pod of the set of pods is running
3447 properties:
3448 labelSelector:
3449 description: A label query over
3450 a set of resources, in this
3451 case pods.
3452 properties:
3453 matchExpressions:
3454 description: matchExpressions
3455 is a list of label selector
3456 requirements. The requirements
3457 are ANDed.
3458 items:
3459 description: A label selector
3460 requirement is a selector
3461 that contains values,
3462 a key, and an operator
3463 that relates the key
3464 and values.
3465 properties:
3466 key:
3467 description: key is
3468 the label key that
3469 the selector applies
3470 to.
3471 type: string
3472 operator:
3473 description: operator
3474 represents a key's
3475 relationship to
3476 a set of values.
3477 Valid operators
3478 are In, NotIn, Exists
3479 and DoesNotExist.
3480 type: string
3481 values:
3482 description: values
3483 is an array of string
3484 values. If the operator
3485 is In or NotIn,
3486 the values array
3487 must be non-empty.
3488 If the operator
3489 is Exists or DoesNotExist,
3490 the values array
3491 must be empty. This
3492 array is replaced
3493 during a strategic
3494 merge patch.
3495 items:
3496 type: string
3497 type: array
3498 required:
3499 - key
3500 - operator
3501 type: object
3502 type: array
3503 matchLabels:
3504 additionalProperties:
3505 type: string
3506 description: matchLabels
3507 is a map of {key,value}
3508 pairs. A single {key,value}
3509 in the matchLabels map
3510 is equivalent to an element
3511 of matchExpressions, whose
3512 key field is "key", the
3513 operator is "In", and
3514 the values array contains
3515 only "value". The requirements
3516 are ANDed.
3517 type: object
3518 type: object
3519 namespaces:
3520 description: namespaces specifies
3521 which namespaces the labelSelector
3522 applies to (matches against);
3523 null or empty list means "this
3524 pod's namespace"
3525 items:
3526 type: string
3527 type: array
3528 topologyKey:
3529 description: This pod should
3530 be co-located (affinity) or
3531 not co-located (anti-affinity)
3532 with the pods matching the
3533 labelSelector in the specified
3534 namespaces, where co-located
3535 is defined as running on a
3536 node whose value of the label
3537 with key topologyKey matches
3538 that of any node on which
3539 any of the selected pods is
3540 running. Empty topologyKey
3541 is not allowed.
3542 type: string
3543 required:
3544 - topologyKey
3545 type: object
3546 type: array
3547 type: object
3548 type: object
3549 nodeSelector:
3550 additionalProperties:
3551 type: string
3552 description: 'NodeSelector is a selector which
3553 must be true for the pod to fit on a node.
3554 Selector which must match a node''s labels
3555 for the pod to be scheduled on that node.
3556 More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
3557 type: object
3558 tolerations:
3559 description: If specified, the pod's tolerations.
3560 items:
3561 description: The pod this Toleration is
3562 attached to tolerates any taint that matches
3563 the triple <key,value,effect> using the
3564 matching operator <operator>.
3565 properties:
3566 effect:
3567 description: Effect indicates the taint
3568 effect to match. Empty means match
3569 all taint effects. When specified,
3570 allowed values are NoSchedule, PreferNoSchedule
3571 and NoExecute.
3572 type: string
3573 key:
3574 description: Key is the taint key that
3575 the toleration applies to. Empty means
3576 match all taint keys. If the key is
3577 empty, operator must be Exists; this
3578 combination means to match all values
3579 and all keys.
3580 type: string
3581 operator:
3582 description: Operator represents a key's
3583 relationship to the value. Valid operators
3584 are Exists and Equal. Defaults to
3585 Equal. Exists is equivalent to wildcard
3586 for value, so that a pod can tolerate
3587 all taints of a particular category.
3588 type: string
3589 tolerationSeconds:
3590 description: TolerationSeconds represents
3591 the period of time the toleration
3592 (which must be of effect NoExecute,
3593 otherwise this field is ignored) tolerates
3594 the taint. By default, it is not set,
3595 which means tolerate the taint forever
3596 (do not evict). Zero and negative
3597 values will be treated as 0 (evict
3598 immediately) by the system.
3599 format: int64
3600 type: integer
3601 value:
3602 description: Value is the taint value
3603 the toleration matches to. If the
3604 operator is Exists, the value should
3605 be empty, otherwise just a regular
3606 string.
3607 type: string
3608 type: object
3609 type: array
3610 type: object
3611 type: object
3612 serviceType:
3613 description: Optional service type for Kubernetes
3614 solver service
3615 type: string
3616 type: object
3617 type: object
3618 selector:
3619 description: Selector selects a set of DNSNames on the Certificate
3620 resource that should be solved using this challenge solver.
3621 properties:
3622 dnsNames:
3623 description: List of DNSNames that this solver will be
3624 used to solve. If specified and a match is found, a
3625 dnsNames selector will take precedence over a dnsZones
3626 selector. If multiple solvers match with the same dnsNames
3627 value, the solver with the most matching labels in matchLabels
3628 will be selected. If neither has more matches, the solver
3629 defined earlier in the list will be selected.
3630 items:
3631 type: string
3632 type: array
3633 dnsZones:
3634 description: List of DNSZones that this solver will be
3635 used to solve. The most specific DNS zone match specified
3636 here will take precedence over other DNS zone matches,
3637 so a solver specifying sys.example.com will be selected
3638 over one specifying example.com for the domain www.sys.example.com.
3639 If multiple solvers match with the same dnsZones value,
3640 the solver with the most matching labels in matchLabels
3641 will be selected. If neither has more matches, the solver
3642 defined earlier in the list will be selected.
3643 items:
3644 type: string
3645 type: array
3646 matchLabels:
3647 additionalProperties:
3648 type: string
3649 description: A label selector that is used to refine the
3650 set of certificate's that this challenge solver will
3651 apply to.
3652 type: object
3653 type: object
3654 type: object
3655 type: array
3656 required:
3657 - privateKeySecretRef
3658 - server
3659 type: object
3660 ca:
3661 properties:
3662 secretName:
3663 description: SecretName is the name of the secret used to sign Certificates
3664 issued by this Issuer.
3665 type: string
3666 required:
3667 - secretName
3668 type: object
3669 selfSigned:
3670 type: object
3671 vault:
3672 properties:
3673 auth:
3674 description: Vault authentication
3675 properties:
3676 appRole:
3677 description: This Secret contains a AppRole and Secret
3678 properties:
3679 path:
3680 description: Where the authentication path is mounted in
3681 Vault.
3682 type: string
3683 roleId:
3684 type: string
3685 secretRef:
3686 properties:
3687 key:
3688 description: The key of the secret to select from. Must
3689 be a valid secret key.
3690 type: string
3691 name:
3692 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3693 TODO: Add other useful fields. apiVersion, kind, uid?'
3694 type: string
3695 required:
3696 - name
3697 type: object
3698 required:
3699 - path
3700 - roleId
3701 - secretRef
3702 type: object
3703 kubernetes:
3704 description: This contains a Role and Secret with a ServiceAccount
3705 token to authenticate with vault.
3706 properties:
3707 mountPath:
3708 description: The Vault mountPath here is the mount path
3709 to use when authenticating with Vault. For example, setting
3710 a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login`
3711 to authenticate with Vault. If unspecified, the default
3712 value "/v1/auth/kubernetes" will be used.
3713 type: string
3714 role:
3715 description: A required field containing the Vault Role
3716 to assume. A Role binds a Kubernetes ServiceAccount with
3717 a set of Vault policies.
3718 type: string
3719 secretRef:
3720 description: The required Secret field containing a Kubernetes
3721 ServiceAccount JWT used for authenticating with Vault.
3722 Use of 'ambient credentials' is not supported.
3723 properties:
3724 key:
3725 description: The key of the secret to select from. Must
3726 be a valid secret key.
3727 type: string
3728 name:
3729 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3730 TODO: Add other useful fields. apiVersion, kind, uid?'
3731 type: string
3732 required:
3733 - name
3734 type: object
3735 required:
3736 - role
3737 - secretRef
3738 type: object
3739 tokenSecretRef:
3740 description: This Secret contains the Vault token key
3741 properties:
3742 key:
3743 description: The key of the secret to select from. Must
3744 be a valid secret key.
3745 type: string
3746 name:
3747 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3748 TODO: Add other useful fields. apiVersion, kind, uid?'
3749 type: string
3750 required:
3751 - name
3752 type: object
3753 type: object
3754 caBundle:
3755 description: Base64 encoded CA bundle to validate Vault server certificate.
3756 Only used if the Server URL is using HTTPS protocol. This parameter
3757 is ignored for plain HTTP protocol connection. If not set the
3758 system root certificates are used to validate the TLS connection.
3759 format: byte
3760 type: string
3761 path:
3762 description: Vault URL path to the certificate role
3763 type: string
3764 server:
3765 description: Server is the vault connection address
3766 type: string
3767 required:
3768 - auth
3769 - path
3770 - server
3771 type: object
3772 venafi:
3773 description: VenafiIssuer describes issuer configuration details for
3774 Venafi Cloud.
3775 properties:
3776 cloud:
3777 description: Cloud specifies the Venafi cloud configuration settings.
3778 Only one of TPP or Cloud may be specified.
3779 properties:
3780 apiTokenSecretRef:
3781 description: APITokenSecretRef is a secret key selector for
3782 the Venafi Cloud API token.
3783 properties:
3784 key:
3785 description: The key of the secret to select from. Must
3786 be a valid secret key.
3787 type: string
3788 name:
3789 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3790 TODO: Add other useful fields. apiVersion, kind, uid?'
3791 type: string
3792 required:
3793 - name
3794 type: object
3795 url:
3796 description: URL is the base URL for Venafi Cloud
3797 type: string
3798 required:
3799 - apiTokenSecretRef
3800 type: object
3801 tpp:
3802 description: TPP specifies Trust Protection Platform configuration
3803 settings. Only one of TPP or Cloud may be specified.
3804 properties:
3805 caBundle:
3806 description: CABundle is a PEM encoded TLS certificate to use
3807 to verify connections to the TPP instance. If specified, system
3808 roots will not be used and the issuing CA for the TPP instance
3809 must be verifiable using the provided root. If not specified,
3810 the connection will be verified using the cert-manager system
3811 root certificates.
3812 format: byte
3813 type: string
3814 credentialsRef:
3815 description: CredentialsRef is a reference to a Secret containing
3816 the username and password for the TPP server. The secret must
3817 contain two keys, 'username' and 'password'.
3818 properties:
3819 name:
3820 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3821 TODO: Add other useful fields. apiVersion, kind, uid?'
3822 type: string
3823 required:
3824 - name
3825 type: object
3826 url:
3827 description: URL is the base URL for the Venafi TPP instance
3828 type: string
3829 required:
3830 - credentialsRef
3831 - url
3832 type: object
3833 zone:
3834 description: Zone is the Venafi Policy Zone to use for this issuer.
3835 All requests made to the Venafi platform will be restricted by
3836 the named zone policy. This field is required.
3837 type: string
3838 required:
3839 - zone
3840 type: object
3841 type: object
3842 status:
3843 description: IssuerStatus contains status information about an Issuer
3844 properties:
3845 acme:
3846 properties:
3847 lastRegisteredEmail:
3848 description: LastRegisteredEmail is the email associated with the
3849 latest registered ACME account, in order to track changes made
3850 to registered account associated with the Issuer
3851 type: string
3852 uri:
3853 description: URI is the unique account identifier, which can also
3854 be used to retrieve account details from the CA
3855 type: string
3856 type: object
3857 conditions:
3858 items:
3859 description: IssuerCondition contains condition information for an
3860 Issuer.
3861 properties:
3862 lastTransitionTime:
3863 description: LastTransitionTime is the timestamp corresponding
3864 to the last status change of this condition.
3865 format: date-time
3866 type: string
3867 message:
3868 description: Message is a human readable description of the details
3869 of the last transition, complementing reason.
3870 type: string
3871 reason:
3872 description: Reason is a brief machine readable explanation for
3873 the condition's last transition.
3874 type: string
3875 status:
3876 description: Status of the condition, one of ('True', 'False',
3877 'Unknown').
3878 enum:
3879 - "True"
3880 - "False"
3881 - Unknown
3882 type: string
3883 type:
3884 description: Type of the condition, currently ('Ready').
3885 type: string
3886 required:
3887 - status
3888 - type
3889 type: object
3890 type: array
3891 type: object
3892 type: object
3893 versions:
3894 - name: v1alpha2
3895 served: true
3896 storage: true
3897 - name: v1alpha3
3898 served: true
3899 storage: false
3900---
3901apiVersion: apiextensions.k8s.io/v1beta1
3902kind: CustomResourceDefinition
3903metadata:
3904 annotations:
3905 cert-manager.io/inject-ca-from-secret: kube-apps/cert-manager-webhook-tls
3906 name: issuers.cert-manager.io
3907spec:
3908 additionalPrinterColumns:
3909 - JSONPath: .status.conditions[?(@.type=="Ready")].status
3910 name: Ready
3911 type: string
3912 - JSONPath: .status.conditions[?(@.type=="Ready")].message
3913 name: Status
3914 priority: 1
3915 type: string
3916 - JSONPath: .metadata.creationTimestamp
3917 description: CreationTimestamp is a timestamp representing the server time when
3918 this object was created. It is not guaranteed to be set in happens-before order
3919 across separate operations. Clients may not set this value. It is represented
3920 in RFC3339 form and is in UTC.
3921 name: Age
3922 type: date
3923 conversion:
3924 strategy: Webhook
3925 webhookClientConfig:
3926 service:
3927 name: cert-manager-webhook
3928 namespace: kube-apps
3929 path: /convert
3930 group: cert-manager.io
3931 names:
3932 kind: Issuer
3933 listKind: IssuerList
3934 plural: issuers
3935 singular: issuer
3936 preserveUnknownFields: false
3937 scope: Namespaced
3938 subresources:
3939 status: {}
3940 validation:
3941 openAPIV3Schema:
3942 properties:
3943 apiVersion:
3944 description: 'APIVersion defines the versioned schema of this representation
3945 of an object. Servers should convert recognized schemas to the latest
3946 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
3947 type: string
3948 kind:
3949 description: 'Kind is a string value representing the REST resource this
3950 object represents. Servers may infer this from the endpoint the client
3951 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
3952 type: string
3953 metadata:
3954 type: object
3955 spec:
3956 description: IssuerSpec is the specification of an Issuer. This includes
3957 any configuration required for the issuer.
3958 properties:
3959 acme:
3960 description: ACMEIssuer contains the specification for an ACME issuer
3961 properties:
3962 email:
3963 description: Email is the email for this account
3964 type: string
3965 externalAccountBinding:
3966 description: ExternalAccountBinding is a reference to a CA external
3967 account of the ACME server.
3968 properties:
3969 keyAlgorithm:
3970 description: keyAlgorithm is the MAC key algorithm that the
3971 key is used for. Valid values are "HS256", "HS384" and "HS512".
3972 enum:
3973 - HS256
3974 - HS384
3975 - HS512
3976 type: string
3977 keyID:
3978 description: keyID is the ID of the CA key that the External
3979 Account is bound to.
3980 type: string
3981 keySecretRef:
3982 description: keySecretRef is a Secret Key Selector referencing
3983 a data item in a Kubernetes Secret which holds the symmetric
3984 MAC key of the External Account Binding. The `key` is the
3985 index string that is paired with the key data in the Secret
3986 and should not be confused with the key data itself, or indeed
3987 with the External Account Binding keyID above. The secret
3988 key stored in the Secret **must** be un-padded, base64 URL
3989 encoded data.
3990 properties:
3991 key:
3992 description: The key of the secret to select from. Must
3993 be a valid secret key.
3994 type: string
3995 name:
3996 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3997 TODO: Add other useful fields. apiVersion, kind, uid?'
3998 type: string
3999 required:
4000 - name
4001 type: object
4002 required:
4003 - keyAlgorithm
4004 - keyID
4005 - keySecretRef
4006 type: object
4007 privateKeySecretRef:
4008 description: PrivateKey is the name of a secret containing the private
4009 key for this user account.
4010 properties:
4011 key:
4012 description: The key of the secret to select from. Must be a
4013 valid secret key.
4014 type: string
4015 name:
4016 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
4017 TODO: Add other useful fields. apiVersion, kind, uid?'
4018 type: string
4019 required:
4020 - name
4021 type: object
4022 server:
4023 description: Server is the ACME server URL
4024 type: string
4025 skipTLSVerify:
4026 description: If true, skip verifying the ACME server TLS certificate
4027 type: boolean
4028 solvers:
4029 description: Solvers is a list of challenge solvers that will be
4030 used to solve ACME challenges for the matching domains.
4031 items:
4032 properties:
4033 dns01:
4034 properties:
4035 acmedns:
4036 description: ACMEIssuerDNS01ProviderAcmeDNS is a structure
4037 containing the configuration for ACME-DNS servers
4038 properties:
4039 accountSecretRef:
4040 properties:
4041 key:
4042 description: The key of the secret to select from.
4043 Must be a valid secret key.
4044 type: string
4045 name:
4046 description: 'Name of the referent. More info:
4047 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
4048 TODO: Add other useful fields. apiVersion, kind,
4049 uid?'
4050 type: string
4051 required:
4052 - name
4053 type: object
4054 host:
4055 type: string
4056 required:
4057 - accountSecretRef
4058 - host
4059 type: object
4060 akamai:
4061 description: ACMEIssuerDNS01ProviderAkamai is a structure
4062 containing the DNS configuration for Akamai DNS—Zone
4063 Record Management API
4064 properties:
4065 accessTokenSecretRef:
4066 properties:
4067 key:
4068 description: The key of the secret to select from.
4069 Must be a valid secret key.
4070 type: string
4071 name:
4072 description: 'Name of the referent. More info:
4073 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
4074 TODO: Add other useful fields. apiVersion, kind,
4075 uid?'
4076 type: string
4077 required:
4078 - name
4079 type: object
4080 clientSecretSecretRef:
4081 properties:
4082 key:
4083 description: The key of the secret to select from.
4084 Must be a valid secret key.
4085 type: string
4086 name:
4087 description: 'Name of the referent. More info:
4088 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
4089 TODO: Add other useful fields. apiVersion, kind,
4090 uid?'
4091 type: string
4092 required:
4093 - name
4094 type: object
4095 clientTokenSecretRef:
4096 properties:
4097 key:
4098 description: The key of the secret to select from.
4099 Must be a valid secret key.
4100 type: string
4101 name:
4102 description: 'Name of the referent. More info:
4103 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
4104 TODO: Add other useful fields. apiVersion, kind,
4105 uid?'
4106 type: string
4107 required:
4108 - name
4109 type: object
4110 serviceConsumerDomain:
4111 type: string
4112 required:
4113 - accessTokenSecretRef
4114 - clientSecretSecretRef
4115 - clientTokenSecretRef
4116 - serviceConsumerDomain
4117 type: object
4118 azuredns:
4119 description: ACMEIssuerDNS01ProviderAzureDNS is a structure
4120 containing the configuration for Azure DNS
4121 properties:
4122 clientID:
4123 type: string
4124 clientSecretSecretRef:
4125 properties:
4126 key:
4127 description: The key of the secret to select from.
4128 Must be a valid secret key.
4129 type: string
4130 name:
4131 description: 'Name of the referent. More info:
4132 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
4133 TODO: Add other useful fields. apiVersion, kind,
4134 uid?'
4135 type: string
4136 required:
4137 - name
4138 type: object
4139 environment:
4140 enum:
4141 - AzurePublicCloud
4142 - AzureChinaCloud
4143 - AzureGermanCloud
4144 - AzureUSGovernmentCloud
4145 type: string
4146 hostedZoneName:
4147 type: string
4148 resourceGroupName:
4149 type: string
4150 subscriptionID:
4151 type: string
4152 tenantID:
4153 type: string
4154 required:
4155 - clientID
4156 - clientSecretSecretRef
4157 - resourceGroupName
4158 - subscriptionID
4159 - tenantID
4160 type: object
4161 clouddns:
4162 description: ACMEIssuerDNS01ProviderCloudDNS is a structure
4163 containing the DNS configuration for Google Cloud DNS
4164 properties:
4165 project:
4166 type: string
4167 serviceAccountSecretRef:
4168 properties:
4169 key:
4170 description: The key of the secret to select from.
4171 Must be a valid secret key.
4172 type: string
4173 name:
4174 description: 'Name of the referent. More info:
4175 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
4176 TODO: Add other useful fields. apiVersion, kind,
4177 uid?'
4178 type: string
4179 required:
4180 - name
4181 type: object
4182 required:
4183 - project
4184 type: object
4185 cloudflare:
4186 description: ACMEIssuerDNS01ProviderCloudflare is a structure
4187 containing the DNS configuration for Cloudflare
4188 properties:
4189 apiKeySecretRef:
4190 properties:
4191 key:
4192 description: The key of the secret to select from.
4193 Must be a valid secret key.
4194 type: string
4195 name:
4196 description: 'Name of the referent. More info:
4197 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
4198 TODO: Add other useful fields. apiVersion, kind,
4199 uid?'
4200 type: string
4201 required:
4202 - name
4203 type: object
4204 apiTokenSecretRef:
4205 properties:
4206 key:
4207 description: The key of the secret to select from.
4208 Must be a valid secret key.
4209 type: string
4210 name:
4211 description: 'Name of the referent. More info:
4212 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
4213 TODO: Add other useful fields. apiVersion, kind,
4214 uid?'
4215 type: string
4216 required:
4217 - name
4218 type: object
4219 email:
4220 type: string
4221 required:
4222 - email
4223 type: object
4224 cnameStrategy:
4225 description: CNAMEStrategy configures how the DNS01 provider
4226 should handle CNAME records when found in DNS zones.
4227 enum:
4228 - None
4229 - Follow
4230 type: string
4231 digitalocean:
4232 description: ACMEIssuerDNS01ProviderDigitalOcean is a
4233 structure containing the DNS configuration for DigitalOcean
4234 Domains
4235 properties:
4236 tokenSecretRef:
4237 properties:
4238 key:
4239 description: The key of the secret to select from.
4240 Must be a valid secret key.
4241 type: string
4242 name:
4243 description: 'Name of the referent. More info:
4244 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
4245 TODO: Add other useful fields. apiVersion, kind,
4246 uid?'
4247 type: string
4248 required:
4249 - name
4250 type: object
4251 required:
4252 - tokenSecretRef
4253 type: object
4254 rfc2136:
4255 description: ACMEIssuerDNS01ProviderRFC2136 is a structure
4256 containing the configuration for RFC2136 DNS
4257 properties:
4258 nameserver:
4259 description: 'The IP address of the DNS supporting
4260 RFC2136. Required. Note: FQDN is not a valid value,
4261 only IP.'
4262 type: string
4263 tsigAlgorithm:
4264 description: 'The TSIG Algorithm configured in the
4265 DNS supporting RFC2136. Used only when ``tsigSecretSecretRef``
4266 and ``tsigKeyName`` are defined. Supported values
4267 are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``,
4268 ``HMACSHA256`` or ``HMACSHA512``.'
4269 type: string
4270 tsigKeyName:
4271 description: The TSIG Key name configured in the DNS.
4272 If ``tsigSecretSecretRef`` is defined, this field
4273 is required.
4274 type: string
4275 tsigSecretSecretRef:
4276 description: The name of the secret containing the
4277 TSIG value. If ``tsigKeyName`` is defined, this
4278 field is required.
4279 properties:
4280 key:
4281 description: The key of the secret to select from.
4282 Must be a valid secret key.
4283 type: string
4284 name:
4285 description: 'Name of the referent. More info:
4286 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
4287 TODO: Add other useful fields. apiVersion, kind,
4288 uid?'
4289 type: string
4290 required:
4291 - name
4292 type: object
4293 required:
4294 - nameserver
4295 type: object
4296 route53:
4297 description: ACMEIssuerDNS01ProviderRoute53 is a structure
4298 containing the Route 53 configuration for AWS
4299 properties:
4300 accessKeyID:
4301 description: 'The AccessKeyID is used for authentication.
4302 If not set we fall-back to using env vars, shared
4303 credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
4304 type: string
4305 hostedZoneID:
4306 description: If set, the provider will manage only
4307 this zone in Route53 and will not do an lookup using
4308 the route53:ListHostedZonesByName api call.
4309 type: string
4310 region:
4311 description: Always set the region when using AccessKeyID
4312 and SecretAccessKey
4313 type: string
4314 role:
4315 description: Role is a Role ARN which the Route53
4316 provider will assume using either the explicit credentials
4317 AccessKeyID/SecretAccessKey or the inferred credentials
4318 from environment variables, shared credentials file
4319 or AWS Instance metadata
4320 type: string
4321 secretAccessKeySecretRef:
4322 description: The SecretAccessKey is used for authentication.
4323 If not set we fall-back to using env vars, shared
4324 credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
4325 properties:
4326 key:
4327 description: The key of the secret to select from.
4328 Must be a valid secret key.
4329 type: string
4330 name:
4331 description: 'Name of the referent. More info:
4332 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
4333 TODO: Add other useful fields. apiVersion, kind,
4334 uid?'
4335 type: string
4336 required:
4337 - name
4338 type: object
4339 required:
4340 - region
4341 type: object
4342 webhook:
4343 description: ACMEIssuerDNS01ProviderWebhook specifies
4344 configuration for a webhook DNS01 provider, including
4345 where to POST ChallengePayload resources.
4346 properties:
4347 config:
4348 description: Additional configuration that should
4349 be passed to the webhook apiserver when challenges
4350 are processed. This can contain arbitrary JSON data.
4351 Secret values should not be specified in this stanza.
4352 If secret values are needed (e.g. credentials for
4353 a DNS service), you should use a SecretKeySelector
4354 to reference a Secret resource. For details on the
4355 schema of this field, consult the webhook provider
4356 implementation's documentation.
4357 x-kubernetes-preserve-unknown-fields: true
4358 groupName:
4359 description: The API group name that should be used
4360 when POSTing ChallengePayload resources to the webhook
4361 apiserver. This should be the same as the GroupName
4362 specified in the webhook provider implementation.
4363 type: string
4364 solverName:
4365 description: The name of the solver to use, as defined
4366 in the webhook provider implementation. This will
4367 typically be the name of the provider, e.g. 'cloudflare'.
4368 type: string
4369 required:
4370 - groupName
4371 - solverName
4372 type: object
4373 type: object
4374 http01:
4375 description: ACMEChallengeSolverHTTP01 contains configuration
4376 detailing how to solve HTTP01 challenges within a Kubernetes
4377 cluster. Typically this is accomplished through creating
4378 'routes' of some description that configure ingress controllers
4379 to direct traffic to 'solver pods', which are responsible
4380 for responding to the ACME server's HTTP requests.
4381 properties:
4382 ingress:
4383 description: The ingress based HTTP01 challenge solver
4384 will solve challenges by creating or modifying Ingress
4385 resources in order to route requests for '/.well-known/acme-challenge/XYZ'
4386 to 'challenge solver' pods that are provisioned by cert-manager
4387 for each Challenge to be completed.
4388 properties:
4389 class:
4390 description: The ingress class to use when creating
4391 Ingress resources to solve ACME challenges that
4392 use this challenge solver. Only one of 'class' or
4393 'name' may be specified.
4394 type: string
4395 name:
4396 description: The name of the ingress resource that
4397 should have ACME challenge solving routes inserted
4398 into it in order to solve HTTP01 challenges. This
4399 is typically used in conjunction with ingress controllers
4400 like ingress-gce, which maintains a 1:1 mapping
4401 between external IPs and ingress resources.
4402 type: string
4403 podTemplate:
4404 description: Optional pod template used to configure
4405 the ACME challenge solver pods used for HTTP01 challenges
4406 properties:
4407 metadata:
4408 description: ObjectMeta overrides for the pod
4409 used to solve HTTP01 challenges. Only the 'labels'
4410 and 'annotations' fields may be set. If labels
4411 or annotations overlap with in-built values,
4412 the values here will override the in-built values.
4413 properties:
4414 annotations:
4415 additionalProperties:
4416 type: string
4417 description: Annotations that should be added
4418 to the create ACME HTTP01 solver pods.
4419 type: object
4420 labels:
4421 additionalProperties:
4422 type: string
4423 description: Labels that should be added to
4424 the created ACME HTTP01 solver pods.
4425 type: object
4426 type: object
4427 spec:
4428 description: PodSpec defines overrides for the
4429 HTTP01 challenge solver pod. Only the 'nodeSelector',
4430 'affinity' and 'tolerations' fields are supported
4431 currently. All other fields will be ignored.
4432 properties:
4433 affinity:
4434 description: If specified, the pod's scheduling
4435 constraints
4436 properties:
4437 nodeAffinity:
4438 description: Describes node affinity scheduling
4439 rules for the pod.
4440 properties:
4441 preferredDuringSchedulingIgnoredDuringExecution:
4442 description: The scheduler will prefer
4443 to schedule pods to nodes that satisfy
4444 the affinity expressions specified
4445 by this field, but it may choose
4446 a node that violates one or more
4447 of the expressions. The node that
4448 is most preferred is the one with
4449 the greatest sum of weights, i.e.
4450 for each node that meets all of
4451 the scheduling requirements (resource
4452 request, requiredDuringScheduling
4453 affinity expressions, etc.), compute
4454 a sum by iterating through the elements
4455 of this field and adding "weight"
4456 to the sum if the node matches the
4457 corresponding matchExpressions;
4458 the node(s) with the highest sum
4459 are the most preferred.
4460 items:
4461 description: An empty preferred
4462 scheduling term matches all objects
4463 with implicit weight 0 (i.e. it's
4464 a no-op). A null preferred scheduling
4465 term matches no objects (i.e.
4466 is also a no-op).
4467 properties:
4468 preference:
4469 description: A node selector
4470 term, associated with the
4471 corresponding weight.
4472 properties:
4473 matchExpressions:
4474 description: A list of node
4475 selector requirements
4476 by node's labels.
4477 items:
4478 description: A node selector
4479 requirement is a selector
4480 that contains values,
4481 a key, and an operator
4482 that relates the key
4483 and values.
4484 properties:
4485 key:
4486 description: The label
4487 key that the selector
4488 applies to.
4489 type: string
4490 operator:
4491 description: Represents
4492 a key's relationship
4493 to a set of values.
4494 Valid operators
4495 are In, NotIn, Exists,
4496 DoesNotExist. Gt,
4497 and Lt.
4498 type: string
4499 values:
4500 description: An array
4501 of string values.
4502 If the operator
4503 is In or NotIn,
4504 the values array
4505 must be non-empty.
4506 If the operator
4507 is Exists or DoesNotExist,
4508 the values array
4509 must be empty. If
4510 the operator is
4511 Gt or Lt, the values
4512 array must have
4513 a single element,
4514 which will be interpreted
4515 as an integer. This
4516 array is replaced
4517 during a strategic
4518 merge patch.
4519 items:
4520 type: string
4521 type: array
4522 required:
4523 - key
4524 - operator
4525 type: object
4526 type: array
4527 matchFields:
4528 description: A list of node
4529 selector requirements
4530 by node's fields.
4531 items:
4532 description: A node selector
4533 requirement is a selector
4534 that contains values,
4535 a key, and an operator
4536 that relates the key
4537 and values.
4538 properties:
4539 key:
4540 description: The label
4541 key that the selector
4542 applies to.
4543 type: string
4544 operator:
4545 description: Represents
4546 a key's relationship
4547 to a set of values.
4548 Valid operators
4549 are In, NotIn, Exists,
4550 DoesNotExist. Gt,
4551 and Lt.
4552 type: string
4553 values:
4554 description: An array
4555 of string values.
4556 If the operator
4557 is In or NotIn,
4558 the values array
4559 must be non-empty.
4560 If the operator
4561 is Exists or DoesNotExist,
4562 the values array
4563 must be empty. If
4564 the operator is
4565 Gt or Lt, the values
4566 array must have
4567 a single element,
4568 which will be interpreted
4569 as an integer. This
4570 array is replaced
4571 during a strategic
4572 merge patch.
4573 items:
4574 type: string
4575 type: array
4576 required:
4577 - key
4578 - operator
4579 type: object
4580 type: array
4581 type: object
4582 weight:
4583 description: Weight associated
4584 with matching the corresponding
4585 nodeSelectorTerm, in the range
4586 1-100.
4587 format: int32
4588 type: integer
4589 required:
4590 - preference
4591 - weight
4592 type: object
4593 type: array
4594 requiredDuringSchedulingIgnoredDuringExecution:
4595 description: If the affinity requirements
4596 specified by this field are not
4597 met at scheduling time, the pod
4598 will not be scheduled onto the node.
4599 If the affinity requirements specified
4600 by this field cease to be met at
4601 some point during pod execution
4602 (e.g. due to an update), the system
4603 may or may not try to eventually
4604 evict the pod from its node.
4605 properties:
4606 nodeSelectorTerms:
4607 description: Required. A list
4608 of node selector terms. The
4609 terms are ORed.
4610 items:
4611 description: A null or empty
4612 node selector term matches
4613 no objects. The requirements
4614 of them are ANDed. The TopologySelectorTerm
4615 type implements a subset of
4616 the NodeSelectorTerm.
4617 properties:
4618 matchExpressions:
4619 description: A list of node
4620 selector requirements
4621 by node's labels.
4622 items:
4623 description: A node selector
4624 requirement is a selector
4625 that contains values,
4626 a key, and an operator
4627 that relates the key
4628 and values.
4629 properties:
4630 key:
4631 description: The label
4632 key that the selector
4633 applies to.
4634 type: string
4635 operator:
4636 description: Represents
4637 a key's relationship
4638 to a set of values.
4639 Valid operators
4640 are In, NotIn, Exists,
4641 DoesNotExist. Gt,
4642 and Lt.
4643 type: string
4644 values:
4645 description: An array
4646 of string values.
4647 If the operator
4648 is In or NotIn,
4649 the values array
4650 must be non-empty.
4651 If the operator
4652 is Exists or DoesNotExist,
4653 the values array
4654 must be empty. If
4655 the operator is
4656 Gt or Lt, the values
4657 array must have
4658 a single element,
4659 which will be interpreted
4660 as an integer. This
4661 array is replaced
4662 during a strategic
4663 merge patch.
4664 items:
4665 type: string
4666 type: array
4667 required:
4668 - key
4669 - operator
4670 type: object
4671 type: array
4672 matchFields:
4673 description: A list of node
4674 selector requirements
4675 by node's fields.
4676 items:
4677 description: A node selector
4678 requirement is a selector
4679 that contains values,
4680 a key, and an operator
4681 that relates the key
4682 and values.
4683 properties:
4684 key:
4685 description: The label
4686 key that the selector
4687 applies to.
4688 type: string
4689 operator:
4690 description: Represents
4691 a key's relationship
4692 to a set of values.
4693 Valid operators
4694 are In, NotIn, Exists,
4695 DoesNotExist. Gt,
4696 and Lt.
4697 type: string
4698 values:
4699 description: An array
4700 of string values.
4701 If the operator
4702 is In or NotIn,
4703 the values array
4704 must be non-empty.
4705 If the operator
4706 is Exists or DoesNotExist,
4707 the values array
4708 must be empty. If
4709 the operator is
4710 Gt or Lt, the values
4711 array must have
4712 a single element,
4713 which will be interpreted
4714 as an integer. This
4715 array is replaced
4716 during a strategic
4717 merge patch.
4718 items:
4719 type: string
4720 type: array
4721 required:
4722 - key
4723 - operator
4724 type: object
4725 type: array
4726 type: object
4727 type: array
4728 required:
4729 - nodeSelectorTerms
4730 type: object
4731 type: object
4732 podAffinity:
4733 description: Describes pod affinity scheduling
4734 rules (e.g. co-locate this pod in the
4735 same node, zone, etc. as some other
4736 pod(s)).
4737 properties:
4738 preferredDuringSchedulingIgnoredDuringExecution:
4739 description: The scheduler will prefer
4740 to schedule pods to nodes that satisfy
4741 the affinity expressions specified
4742 by this field, but it may choose
4743 a node that violates one or more
4744 of the expressions. The node that
4745 is most preferred is the one with
4746 the greatest sum of weights, i.e.
4747 for each node that meets all of
4748 the scheduling requirements (resource
4749 request, requiredDuringScheduling
4750 affinity expressions, etc.), compute
4751 a sum by iterating through the elements
4752 of this field and adding "weight"
4753 to the sum if the node has pods
4754 which matches the corresponding
4755 podAffinityTerm; the node(s) with
4756 the highest sum are the most preferred.
4757 items:
4758 description: The weights of all
4759 of the matched WeightedPodAffinityTerm
4760 fields are added per-node to find
4761 the most preferred node(s)
4762 properties:
4763 podAffinityTerm:
4764 description: Required. A pod
4765 affinity term, associated
4766 with the corresponding weight.
4767 properties:
4768 labelSelector:
4769 description: A label query
4770 over a set of resources,
4771 in this case pods.
4772 properties:
4773 matchExpressions:
4774 description: matchExpressions
4775 is a list of label
4776 selector requirements.
4777 The requirements are
4778 ANDed.
4779 items:
4780 description: A label
4781 selector requirement
4782 is a selector that
4783 contains values,
4784 a key, and an operator
4785 that relates the
4786 key and values.
4787 properties:
4788 key:
4789 description: key
4790 is the label
4791 key that the
4792 selector applies
4793 to.
4794 type: string
4795 operator:
4796 description: operator
4797 represents a
4798 key's relationship
4799 to a set of
4800 values. Valid
4801 operators are
4802 In, NotIn, Exists
4803 and DoesNotExist.
4804 type: string
4805 values:
4806 description: values
4807 is an array
4808 of string values.
4809 If the operator
4810 is In or NotIn,
4811 the values array
4812 must be non-empty.
4813 If the operator
4814 is Exists or
4815 DoesNotExist,
4816 the values array
4817 must be empty.
4818 This array is
4819 replaced during
4820 a strategic
4821 merge patch.
4822 items:
4823 type: string
4824 type: array
4825 required:
4826 - key
4827 - operator
4828 type: object
4829 type: array
4830 matchLabels:
4831 additionalProperties:
4832 type: string
4833 description: matchLabels
4834 is a map of {key,value}
4835 pairs. A single {key,value}
4836 in the matchLabels
4837 map is equivalent
4838 to an element of matchExpressions,
4839 whose key field is
4840 "key", the operator
4841 is "In", and the values
4842 array contains only
4843 "value". The requirements
4844 are ANDed.
4845 type: object
4846 type: object
4847 namespaces:
4848 description: namespaces
4849 specifies which namespaces
4850 the labelSelector applies
4851 to (matches against);
4852 null or empty list means
4853 "this pod's namespace"
4854 items:
4855 type: string
4856 type: array
4857 topologyKey:
4858 description: This pod should
4859 be co-located (affinity)
4860 or not co-located (anti-affinity)
4861 with the pods matching
4862 the labelSelector in the
4863 specified namespaces,
4864 where co-located is defined
4865 as running on a node whose
4866 value of the label with
4867 key topologyKey matches
4868 that of any node on which
4869 any of the selected pods
4870 is running. Empty topologyKey
4871 is not allowed.
4872 type: string
4873 required:
4874 - topologyKey
4875 type: object
4876 weight:
4877 description: weight associated
4878 with matching the corresponding
4879 podAffinityTerm, in the range
4880 1-100.
4881 format: int32
4882 type: integer
4883 required:
4884 - podAffinityTerm
4885 - weight
4886 type: object
4887 type: array
4888 requiredDuringSchedulingIgnoredDuringExecution:
4889 description: If the affinity requirements
4890 specified by this field are not
4891 met at scheduling time, the pod
4892 will not be scheduled onto the node.
4893 If the affinity requirements specified
4894 by this field cease to be met at
4895 some point during pod execution
4896 (e.g. due to a pod label update),
4897 the system may or may not try to
4898 eventually evict the pod from its
4899 node. When there are multiple elements,
4900 the lists of nodes corresponding
4901 to each podAffinityTerm are intersected,
4902 i.e. all terms must be satisfied.
4903 items:
4904 description: Defines a set of pods
4905 (namely those matching the labelSelector
4906 relative to the given namespace(s))
4907 that this pod should be co-located
4908 (affinity) or not co-located (anti-affinity)
4909 with, where co-located is defined
4910 as running on a node whose value
4911 of the label with key <topologyKey>
4912 matches that of any node on which
4913 a pod of the set of pods is running
4914 properties:
4915 labelSelector:
4916 description: A label query over
4917 a set of resources, in this
4918 case pods.
4919 properties:
4920 matchExpressions:
4921 description: matchExpressions
4922 is a list of label selector
4923 requirements. The requirements
4924 are ANDed.
4925 items:
4926 description: A label selector
4927 requirement is a selector
4928 that contains values,
4929 a key, and an operator
4930 that relates the key
4931 and values.
4932 properties:
4933 key:
4934 description: key is
4935 the label key that
4936 the selector applies
4937 to.
4938 type: string
4939 operator:
4940 description: operator
4941 represents a key's
4942 relationship to
4943 a set of values.
4944 Valid operators
4945 are In, NotIn, Exists
4946 and DoesNotExist.
4947 type: string
4948 values:
4949 description: values
4950 is an array of string
4951 values. If the operator
4952 is In or NotIn,
4953 the values array
4954 must be non-empty.
4955 If the operator
4956 is Exists or DoesNotExist,
4957 the values array
4958 must be empty. This
4959 array is replaced
4960 during a strategic
4961 merge patch.
4962 items:
4963 type: string
4964 type: array
4965 required:
4966 - key
4967 - operator
4968 type: object
4969 type: array
4970 matchLabels:
4971 additionalProperties:
4972 type: string
4973 description: matchLabels
4974 is a map of {key,value}
4975 pairs. A single {key,value}
4976 in the matchLabels map
4977 is equivalent to an element
4978 of matchExpressions, whose
4979 key field is "key", the
4980 operator is "In", and
4981 the values array contains
4982 only "value". The requirements
4983 are ANDed.
4984 type: object
4985 type: object
4986 namespaces:
4987 description: namespaces specifies
4988 which namespaces the labelSelector
4989 applies to (matches against);
4990 null or empty list means "this
4991 pod's namespace"
4992 items:
4993 type: string
4994 type: array
4995 topologyKey:
4996 description: This pod should
4997 be co-located (affinity) or
4998 not co-located (anti-affinity)
4999 with the pods matching the
5000 labelSelector in the specified
5001 namespaces, where co-located
5002 is defined as running on a
5003 node whose value of the label
5004 with key topologyKey matches
5005 that of any node on which
5006 any of the selected pods is
5007 running. Empty topologyKey
5008 is not allowed.
5009 type: string
5010 required:
5011 - topologyKey
5012 type: object
5013 type: array
5014 type: object
5015 podAntiAffinity:
5016 description: Describes pod anti-affinity
5017 scheduling rules (e.g. avoid putting
5018 this pod in the same node, zone, etc.
5019 as some other pod(s)).
5020 properties:
5021 preferredDuringSchedulingIgnoredDuringExecution:
5022 description: The scheduler will prefer
5023 to schedule pods to nodes that satisfy
5024 the anti-affinity expressions specified
5025 by this field, but it may choose
5026 a node that violates one or more
5027 of the expressions. The node that
5028 is most preferred is the one with
5029 the greatest sum of weights, i.e.
5030 for each node that meets all of
5031 the scheduling requirements (resource
5032 request, requiredDuringScheduling
5033 anti-affinity expressions, etc.),
5034 compute a sum by iterating through
5035 the elements of this field and adding
5036 "weight" to the sum if the node
5037 has pods which matches the corresponding
5038 podAffinityTerm; the node(s) with
5039 the highest sum are the most preferred.
5040 items:
5041 description: The weights of all
5042 of the matched WeightedPodAffinityTerm
5043 fields are added per-node to find
5044 the most preferred node(s)
5045 properties:
5046 podAffinityTerm:
5047 description: Required. A pod
5048 affinity term, associated
5049 with the corresponding weight.
5050 properties:
5051 labelSelector:
5052 description: A label query
5053 over a set of resources,
5054 in this case pods.
5055 properties:
5056 matchExpressions:
5057 description: matchExpressions
5058 is a list of label
5059 selector requirements.
5060 The requirements are
5061 ANDed.
5062 items:
5063 description: A label
5064 selector requirement
5065 is a selector that
5066 contains values,
5067 a key, and an operator
5068 that relates the
5069 key and values.
5070 properties:
5071 key:
5072 description: key
5073 is the label
5074 key that the
5075 selector applies
5076 to.
5077 type: string
5078 operator:
5079 description: operator
5080 represents a
5081 key's relationship
5082 to a set of
5083 values. Valid
5084 operators are
5085 In, NotIn, Exists
5086 and DoesNotExist.
5087 type: string
5088 values:
5089 description: values
5090 is an array
5091 of string values.
5092 If the operator
5093 is In or NotIn,
5094 the values array
5095 must be non-empty.
5096 If the operator
5097 is Exists or
5098 DoesNotExist,
5099 the values array
5100 must be empty.
5101 This array is
5102 replaced during
5103 a strategic
5104 merge patch.
5105 items:
5106 type: string
5107 type: array
5108 required:
5109 - key
5110 - operator
5111 type: object
5112 type: array
5113 matchLabels:
5114 additionalProperties:
5115 type: string
5116 description: matchLabels
5117 is a map of {key,value}
5118 pairs. A single {key,value}
5119 in the matchLabels
5120 map is equivalent
5121 to an element of matchExpressions,
5122 whose key field is
5123 "key", the operator
5124 is "In", and the values
5125 array contains only
5126 "value". The requirements
5127 are ANDed.
5128 type: object
5129 type: object
5130 namespaces:
5131 description: namespaces
5132 specifies which namespaces
5133 the labelSelector applies
5134 to (matches against);
5135 null or empty list means
5136 "this pod's namespace"
5137 items:
5138 type: string
5139 type: array
5140 topologyKey:
5141 description: This pod should
5142 be co-located (affinity)
5143 or not co-located (anti-affinity)
5144 with the pods matching
5145 the labelSelector in the
5146 specified namespaces,
5147 where co-located is defined
5148 as running on a node whose
5149 value of the label with
5150 key topologyKey matches
5151 that of any node on which
5152 any of the selected pods
5153 is running. Empty topologyKey
5154 is not allowed.
5155 type: string
5156 required:
5157 - topologyKey
5158 type: object
5159 weight:
5160 description: weight associated
5161 with matching the corresponding
5162 podAffinityTerm, in the range
5163 1-100.
5164 format: int32
5165 type: integer
5166 required:
5167 - podAffinityTerm
5168 - weight
5169 type: object
5170 type: array
5171 requiredDuringSchedulingIgnoredDuringExecution:
5172 description: If the anti-affinity
5173 requirements specified by this field
5174 are not met at scheduling time,
5175 the pod will not be scheduled onto
5176 the node. If the anti-affinity requirements
5177 specified by this field cease to
5178 be met at some point during pod
5179 execution (e.g. due to a pod label
5180 update), the system may or may not
5181 try to eventually evict the pod
5182 from its node. When there are multiple
5183 elements, the lists of nodes corresponding
5184 to each podAffinityTerm are intersected,
5185 i.e. all terms must be satisfied.
5186 items:
5187 description: Defines a set of pods
5188 (namely those matching the labelSelector
5189 relative to the given namespace(s))
5190 that this pod should be co-located
5191 (affinity) or not co-located (anti-affinity)
5192 with, where co-located is defined
5193 as running on a node whose value
5194 of the label with key <topologyKey>
5195 matches that of any node on which
5196 a pod of the set of pods is running
5197 properties:
5198 labelSelector:
5199 description: A label query over
5200 a set of resources, in this
5201 case pods.
5202 properties:
5203 matchExpressions:
5204 description: matchExpressions
5205 is a list of label selector
5206 requirements. The requirements
5207 are ANDed.
5208 items:
5209 description: A label selector
5210 requirement is a selector
5211 that contains values,
5212 a key, and an operator
5213 that relates the key
5214 and values.
5215 properties:
5216 key:
5217 description: key is
5218 the label key that
5219 the selector applies
5220 to.
5221 type: string
5222 operator:
5223 description: operator
5224 represents a key's
5225 relationship to
5226 a set of values.
5227 Valid operators
5228 are In, NotIn, Exists
5229 and DoesNotExist.
5230 type: string
5231 values:
5232 description: values
5233 is an array of string
5234 values. If the operator
5235 is In or NotIn,
5236 the values array
5237 must be non-empty.
5238 If the operator
5239 is Exists or DoesNotExist,
5240 the values array
5241 must be empty. This
5242 array is replaced
5243 during a strategic
5244 merge patch.
5245 items:
5246 type: string
5247 type: array
5248 required:
5249 - key
5250 - operator
5251 type: object
5252 type: array
5253 matchLabels:
5254 additionalProperties:
5255 type: string
5256 description: matchLabels
5257 is a map of {key,value}
5258 pairs. A single {key,value}
5259 in the matchLabels map
5260 is equivalent to an element
5261 of matchExpressions, whose
5262 key field is "key", the
5263 operator is "In", and
5264 the values array contains
5265 only "value". The requirements
5266 are ANDed.
5267 type: object
5268 type: object
5269 namespaces:
5270 description: namespaces specifies
5271 which namespaces the labelSelector
5272 applies to (matches against);
5273 null or empty list means "this
5274 pod's namespace"
5275 items:
5276 type: string
5277 type: array
5278 topologyKey:
5279 description: This pod should
5280 be co-located (affinity) or
5281 not co-located (anti-affinity)
5282 with the pods matching the
5283 labelSelector in the specified
5284 namespaces, where co-located
5285 is defined as running on a
5286 node whose value of the label
5287 with key topologyKey matches
5288 that of any node on which
5289 any of the selected pods is
5290 running. Empty topologyKey
5291 is not allowed.
5292 type: string
5293 required:
5294 - topologyKey
5295 type: object
5296 type: array
5297 type: object
5298 type: object
5299 nodeSelector:
5300 additionalProperties:
5301 type: string
5302 description: 'NodeSelector is a selector which
5303 must be true for the pod to fit on a node.
5304 Selector which must match a node''s labels
5305 for the pod to be scheduled on that node.
5306 More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
5307 type: object
5308 tolerations:
5309 description: If specified, the pod's tolerations.
5310 items:
5311 description: The pod this Toleration is
5312 attached to tolerates any taint that matches
5313 the triple <key,value,effect> using the
5314 matching operator <operator>.
5315 properties:
5316 effect:
5317 description: Effect indicates the taint
5318 effect to match. Empty means match
5319 all taint effects. When specified,
5320 allowed values are NoSchedule, PreferNoSchedule
5321 and NoExecute.
5322 type: string
5323 key:
5324 description: Key is the taint key that
5325 the toleration applies to. Empty means
5326 match all taint keys. If the key is
5327 empty, operator must be Exists; this
5328 combination means to match all values
5329 and all keys.
5330 type: string
5331 operator:
5332 description: Operator represents a key's
5333 relationship to the value. Valid operators
5334 are Exists and Equal. Defaults to
5335 Equal. Exists is equivalent to wildcard
5336 for value, so that a pod can tolerate
5337 all taints of a particular category.
5338 type: string
5339 tolerationSeconds:
5340 description: TolerationSeconds represents
5341 the period of time the toleration
5342 (which must be of effect NoExecute,
5343 otherwise this field is ignored) tolerates
5344 the taint. By default, it is not set,
5345 which means tolerate the taint forever
5346 (do not evict). Zero and negative
5347 values will be treated as 0 (evict
5348 immediately) by the system.
5349 format: int64
5350 type: integer
5351 value:
5352 description: Value is the taint value
5353 the toleration matches to. If the
5354 operator is Exists, the value should
5355 be empty, otherwise just a regular
5356 string.
5357 type: string
5358 type: object
5359 type: array
5360 type: object
5361 type: object
5362 serviceType:
5363 description: Optional service type for Kubernetes
5364 solver service
5365 type: string
5366 type: object
5367 type: object
5368 selector:
5369 description: Selector selects a set of DNSNames on the Certificate
5370 resource that should be solved using this challenge solver.
5371 properties:
5372 dnsNames:
5373 description: List of DNSNames that this solver will be
5374 used to solve. If specified and a match is found, a
5375 dnsNames selector will take precedence over a dnsZones
5376 selector. If multiple solvers match with the same dnsNames
5377 value, the solver with the most matching labels in matchLabels
5378 will be selected. If neither has more matches, the solver
5379 defined earlier in the list will be selected.
5380 items:
5381 type: string
5382 type: array
5383 dnsZones:
5384 description: List of DNSZones that this solver will be
5385 used to solve. The most specific DNS zone match specified
5386 here will take precedence over other DNS zone matches,
5387 so a solver specifying sys.example.com will be selected
5388 over one specifying example.com for the domain www.sys.example.com.
5389 If multiple solvers match with the same dnsZones value,
5390 the solver with the most matching labels in matchLabels
5391 will be selected. If neither has more matches, the solver
5392 defined earlier in the list will be selected.
5393 items:
5394 type: string
5395 type: array
5396 matchLabels:
5397 additionalProperties:
5398 type: string
5399 description: A label selector that is used to refine the
5400 set of certificate's that this challenge solver will
5401 apply to.
5402 type: object
5403 type: object
5404 type: object
5405 type: array
5406 required:
5407 - privateKeySecretRef
5408 - server
5409 type: object
5410 ca:
5411 properties:
5412 secretName:
5413 description: SecretName is the name of the secret used to sign Certificates
5414 issued by this Issuer.
5415 type: string
5416 required:
5417 - secretName
5418 type: object
5419 selfSigned:
5420 type: object
5421 vault:
5422 properties:
5423 auth:
5424 description: Vault authentication
5425 properties:
5426 appRole:
5427 description: This Secret contains a AppRole and Secret
5428 properties:
5429 path:
5430 description: Where the authentication path is mounted in
5431 Vault.
5432 type: string
5433 roleId:
5434 type: string
5435 secretRef:
5436 properties:
5437 key:
5438 description: The key of the secret to select from. Must
5439 be a valid secret key.
5440 type: string
5441 name:
5442 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
5443 TODO: Add other useful fields. apiVersion, kind, uid?'
5444 type: string
5445 required:
5446 - name
5447 type: object
5448 required:
5449 - path
5450 - roleId
5451 - secretRef
5452 type: object
5453 kubernetes:
5454 description: This contains a Role and Secret with a ServiceAccount
5455 token to authenticate with vault.
5456 properties:
5457 mountPath:
5458 description: The Vault mountPath here is the mount path
5459 to use when authenticating with Vault. For example, setting
5460 a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login`
5461 to authenticate with Vault. If unspecified, the default
5462 value "/v1/auth/kubernetes" will be used.
5463 type: string
5464 role:
5465 description: A required field containing the Vault Role
5466 to assume. A Role binds a Kubernetes ServiceAccount with
5467 a set of Vault policies.
5468 type: string
5469 secretRef:
5470 description: The required Secret field containing a Kubernetes
5471 ServiceAccount JWT used for authenticating with Vault.
5472 Use of 'ambient credentials' is not supported.
5473 properties:
5474 key:
5475 description: The key of the secret to select from. Must
5476 be a valid secret key.
5477 type: string
5478 name:
5479 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
5480 TODO: Add other useful fields. apiVersion, kind, uid?'
5481 type: string
5482 required:
5483 - name
5484 type: object
5485 required:
5486 - role
5487 - secretRef
5488 type: object
5489 tokenSecretRef:
5490 description: This Secret contains the Vault token key
5491 properties:
5492 key:
5493 description: The key of the secret to select from. Must
5494 be a valid secret key.
5495 type: string
5496 name:
5497 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
5498 TODO: Add other useful fields. apiVersion, kind, uid?'
5499 type: string
5500 required:
5501 - name
5502 type: object
5503 type: object
5504 caBundle:
5505 description: Base64 encoded CA bundle to validate Vault server certificate.
5506 Only used if the Server URL is using HTTPS protocol. This parameter
5507 is ignored for plain HTTP protocol connection. If not set the
5508 system root certificates are used to validate the TLS connection.
5509 format: byte
5510 type: string
5511 path:
5512 description: Vault URL path to the certificate role
5513 type: string
5514 server:
5515 description: Server is the vault connection address
5516 type: string
5517 required:
5518 - auth
5519 - path
5520 - server
5521 type: object
5522 venafi:
5523 description: VenafiIssuer describes issuer configuration details for
5524 Venafi Cloud.
5525 properties:
5526 cloud:
5527 description: Cloud specifies the Venafi cloud configuration settings.
5528 Only one of TPP or Cloud may be specified.
5529 properties:
5530 apiTokenSecretRef:
5531 description: APITokenSecretRef is a secret key selector for
5532 the Venafi Cloud API token.
5533 properties:
5534 key:
5535 description: The key of the secret to select from. Must
5536 be a valid secret key.
5537 type: string
5538 name:
5539 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
5540 TODO: Add other useful fields. apiVersion, kind, uid?'
5541 type: string
5542 required:
5543 - name
5544 type: object
5545 url:
5546 description: URL is the base URL for Venafi Cloud
5547 type: string
5548 required:
5549 - apiTokenSecretRef
5550 type: object
5551 tpp:
5552 description: TPP specifies Trust Protection Platform configuration
5553 settings. Only one of TPP or Cloud may be specified.
5554 properties:
5555 caBundle:
5556 description: CABundle is a PEM encoded TLS certificate to use
5557 to verify connections to the TPP instance. If specified, system
5558 roots will not be used and the issuing CA for the TPP instance
5559 must be verifiable using the provided root. If not specified,
5560 the connection will be verified using the cert-manager system
5561 root certificates.
5562 format: byte
5563 type: string
5564 credentialsRef:
5565 description: CredentialsRef is a reference to a Secret containing
5566 the username and password for the TPP server. The secret must
5567 contain two keys, 'username' and 'password'.
5568 properties:
5569 name:
5570 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
5571 TODO: Add other useful fields. apiVersion, kind, uid?'
5572 type: string
5573 required:
5574 - name
5575 type: object
5576 url:
5577 description: URL is the base URL for the Venafi TPP instance
5578 type: string
5579 required:
5580 - credentialsRef
5581 - url
5582 type: object
5583 zone:
5584 description: Zone is the Venafi Policy Zone to use for this issuer.
5585 All requests made to the Venafi platform will be restricted by
5586 the named zone policy. This field is required.
5587 type: string
5588 required:
5589 - zone
5590 type: object
5591 type: object
5592 status:
5593 description: IssuerStatus contains status information about an Issuer
5594 properties:
5595 acme:
5596 properties:
5597 lastRegisteredEmail:
5598 description: LastRegisteredEmail is the email associated with the
5599 latest registered ACME account, in order to track changes made
5600 to registered account associated with the Issuer
5601 type: string
5602 uri:
5603 description: URI is the unique account identifier, which can also
5604 be used to retrieve account details from the CA
5605 type: string
5606 type: object
5607 conditions:
5608 items:
5609 description: IssuerCondition contains condition information for an
5610 Issuer.
5611 properties:
5612 lastTransitionTime:
5613 description: LastTransitionTime is the timestamp corresponding
5614 to the last status change of this condition.
5615 format: date-time
5616 type: string
5617 message:
5618 description: Message is a human readable description of the details
5619 of the last transition, complementing reason.
5620 type: string
5621 reason:
5622 description: Reason is a brief machine readable explanation for
5623 the condition's last transition.
5624 type: string
5625 status:
5626 description: Status of the condition, one of ('True', 'False',
5627 'Unknown').
5628 enum:
5629 - "True"
5630 - "False"
5631 - Unknown
5632 type: string
5633 type:
5634 description: Type of the condition, currently ('Ready').
5635 type: string
5636 required:
5637 - status
5638 - type
5639 type: object
5640 type: array
5641 type: object
5642 type: object
5643 versions:
5644 - name: v1alpha2
5645 served: true
5646 storage: true
5647 - name: v1alpha3
5648 served: true
5649 storage: false
5650---
5651apiVersion: apiextensions.k8s.io/v1beta1
5652kind: CustomResourceDefinition
5653metadata:
5654 annotations:
5655 cert-manager.io/inject-ca-from-secret: kube-apps/cert-manager-webhook-tls
5656 name: orders.acme.cert-manager.io
5657spec:
5658 additionalPrinterColumns:
5659 - JSONPath: .status.state
5660 name: State
5661 type: string
5662 - JSONPath: .spec.issuerRef.name
5663 name: Issuer
5664 priority: 1
5665 type: string
5666 - JSONPath: .status.reason
5667 name: Reason
5668 priority: 1
5669 type: string
5670 - JSONPath: .metadata.creationTimestamp
5671 description: CreationTimestamp is a timestamp representing the server time when
5672 this object was created. It is not guaranteed to be set in happens-before order
5673 across separate operations. Clients may not set this value. It is represented
5674 in RFC3339 form and is in UTC.
5675 name: Age
5676 type: date
5677 conversion:
5678 strategy: Webhook
5679 webhookClientConfig:
5680 service:
5681 name: cert-manager-webhook
5682 namespace: kube-apps
5683 path: /convert
5684 group: acme.cert-manager.io
5685 names:
5686 kind: Order
5687 listKind: OrderList
5688 plural: orders
5689 singular: order
5690 preserveUnknownFields: false
5691 scope: Namespaced
5692 subresources:
5693 status: {}
5694 validation:
5695 openAPIV3Schema:
5696 description: Order is a type to represent an Order with an ACME server
5697 properties:
5698 apiVersion:
5699 description: 'APIVersion defines the versioned schema of this representation
5700 of an object. Servers should convert recognized schemas to the latest
5701 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
5702 type: string
5703 kind:
5704 description: 'Kind is a string value representing the REST resource this
5705 object represents. Servers may infer this from the endpoint the client
5706 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
5707 type: string
5708 metadata:
5709 type: object
5710 spec:
5711 properties:
5712 commonName:
5713 description: CommonName is the common name as specified on the DER encoded
5714 CSR. If CommonName is not specified, the first DNSName specified will
5715 be used as the CommonName. At least one of CommonName or a DNSNames
5716 must be set. This field must match the corresponding field on the
5717 DER encoded CSR.
5718 type: string
5719 csr:
5720 description: Certificate signing request bytes in DER encoding. This
5721 will be used when finalizing the order. This field must be set on
5722 the order.
5723 format: byte
5724 type: string
5725 dnsNames:
5726 description: DNSNames is a list of DNS names that should be included
5727 as part of the Order validation process. If CommonName is not specified,
5728 the first DNSName specified will be used as the CommonName. At least
5729 one of CommonName or a DNSNames must be set. This field must match
5730 the corresponding field on the DER encoded CSR.
5731 items:
5732 type: string
5733 type: array
5734 issuerRef:
5735 description: IssuerRef references a properly configured ACME-type Issuer
5736 which should be used to create this Order. If the Issuer does not
5737 exist, processing will be retried. If the Issuer is not an 'ACME'
5738 Issuer, an error will be returned and the Order will be marked as
5739 failed.
5740 properties:
5741 group:
5742 type: string
5743 kind:
5744 type: string
5745 name:
5746 type: string
5747 required:
5748 - name
5749 type: object
5750 required:
5751 - csr
5752 - issuerRef
5753 type: object
5754 status:
5755 properties:
5756 authorizations:
5757 description: Authorizations contains data returned from the ACME server
5758 on what authorizations must be completed in order to validate the
5759 DNS names specified on the Order.
5760 items:
5761 description: ACMEAuthorization contains data returned from the ACME
5762 server on an authorization that must be completed in order validate
5763 a DNS name on an ACME Order resource.
5764 properties:
5765 challenges:
5766 description: Challenges specifies the challenge types offered
5767 by the ACME server. One of these challenge types will be selected
5768 when validating the DNS name and an appropriate Challenge resource
5769 will be created to perform the ACME challenge process.
5770 items:
5771 description: Challenge specifies a challenge offered by the
5772 ACME server for an Order. An appropriate Challenge resource
5773 can be created to perform the ACME challenge process.
5774 properties:
5775 token:
5776 description: Token is the token that must be presented for
5777 this challenge. This is used to compute the 'key' that
5778 must also be presented.
5779 type: string
5780 type:
5781 description: Type is the type of challenge being offered,
5782 e.g. http-01, dns-01
5783 type: string
5784 url:
5785 description: URL is the URL of this challenge. It can be
5786 used to retrieve additional metadata about the Challenge
5787 from the ACME server.
5788 type: string
5789 required:
5790 - token
5791 - type
5792 - url
5793 type: object
5794 type: array
5795 identifier:
5796 description: Identifier is the DNS name to be validated as part
5797 of this authorization
5798 type: string
5799 url:
5800 description: URL is the URL of the Authorization that must be
5801 completed
5802 type: string
5803 wildcard:
5804 description: Wildcard will be true if this authorization is for
5805 a wildcard DNS name. If this is true, the identifier will be
5806 the *non-wildcard* version of the DNS name. For example, if
5807 '*.example.com' is the DNS name being validated, this field
5808 will be 'true' and the 'identifier' field will be 'example.com'.
5809 type: boolean
5810 required:
5811 - url
5812 type: object
5813 type: array
5814 certificate:
5815 description: Certificate is a copy of the PEM encoded certificate for
5816 this Order. This field will be populated after the order has been
5817 successfully finalized with the ACME server, and the order has transitioned
5818 to the 'valid' state.
5819 format: byte
5820 type: string
5821 failureTime:
5822 description: FailureTime stores the time that this order failed. This
5823 is used to influence garbage collection and back-off.
5824 format: date-time
5825 type: string
5826 finalizeURL:
5827 description: FinalizeURL of the Order. This is used to obtain certificates
5828 for this order once it has been completed.
5829 type: string
5830 reason:
5831 description: Reason optionally provides more information about a why
5832 the order is in the current state.
5833 type: string
5834 state:
5835 description: State contains the current state of this Order resource.
5836 States 'success' and 'expired' are 'final'
5837 enum:
5838 - valid
5839 - ready
5840 - pending
5841 - processing
5842 - invalid
5843 - expired
5844 - errored
5845 type: string
5846 url:
5847 description: URL of the Order. This will initially be empty when the
5848 resource is first created. The Order controller will populate this
5849 field when the Order is first processed. This field will be immutable
5850 after it is initially set.
5851 type: string
5852 type: object
5853 required:
5854 - metadata
5855 type: object
5856 versions:
5857 - name: v1alpha2
5858 served: true
5859 storage: true
5860 - name: v1alpha3
5861 served: true
5862 storage: false
5863
5864---
5865
5866# Source: cert-manager/templates/cainjector-serviceaccount.yaml
5867apiVersion: v1
5868kind: ServiceAccount
5869metadata:
5870 namespace: kube-apps
5871 name: cert-manager-cainjector
5872 labels:
5873 app: cainjector
5874 app.kubernetes.io/name: cainjector
5875 app.kubernetes.io/instance: cert-manager
5876 app.kubernetes.io/managed-by: Helm
5877 app.kubernetes.io/component: "cainjector"
5878 helm.sh/chart: cert-manager-v0.14.1
5879---
5880# Source: cert-manager/templates/serviceaccount.yaml
5881apiVersion: v1
5882kind: ServiceAccount
5883metadata:
5884 namespace: kube-apps
5885 name: cert-manager
5886 annotations:
5887 labels:
5888 app: cert-manager
5889 app.kubernetes.io/name: cert-manager
5890 app.kubernetes.io/instance: cert-manager
5891 app.kubernetes.io/managed-by: Helm
5892 app.kubernetes.io/component: "controller"
5893 helm.sh/chart: cert-manager-v0.14.1
5894---
5895# Source: cert-manager/templates/webhook-serviceaccount.yaml
5896apiVersion: v1
5897kind: ServiceAccount
5898metadata:
5899 namespace: kube-apps
5900 name: cert-manager-webhook
5901 labels:
5902 app: webhook
5903 app.kubernetes.io/name: webhook
5904 app.kubernetes.io/instance: cert-manager
5905 app.kubernetes.io/managed-by: Helm
5906 app.kubernetes.io/component: "webhook"
5907 helm.sh/chart: cert-manager-v0.14.1
5908---
5909# Source: cert-manager/templates/cainjector-rbac.yaml
5910apiVersion: rbac.authorization.k8s.io/v1beta1
5911kind: ClusterRole
5912metadata:
5913 name: cert-manager-cainjector
5914 labels:
5915 app: cainjector
5916 app.kubernetes.io/name: cainjector
5917 app.kubernetes.io/instance: cert-manager
5918 app.kubernetes.io/managed-by: Helm
5919 app.kubernetes.io/component: "cainjector"
5920 helm.sh/chart: cert-manager-v0.14.1
5921rules:
5922 - apiGroups: ["cert-manager.io"]
5923 resources: ["certificates"]
5924 verbs: ["get", "list", "watch"]
5925 - apiGroups: [""]
5926 resources: ["secrets"]
5927 verbs: ["get", "list", "watch"]
5928 - apiGroups: [""]
5929 resources: ["events"]
5930 verbs: ["get", "create", "update", "patch"]
5931 - apiGroups: ["admissionregistration.k8s.io"]
5932 resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
5933 verbs: ["get", "list", "watch", "update"]
5934 - apiGroups: ["apiregistration.k8s.io"]
5935 resources: ["apiservices"]
5936 verbs: ["get", "list", "watch", "update"]
5937 - apiGroups: ["apiextensions.k8s.io"]
5938 resources: ["customresourcedefinitions"]
5939 verbs: ["get", "list", "watch", "update"]
5940---
5941# Source: cert-manager/templates/rbac.yaml
5942# Certificates controller role
5943apiVersion: rbac.authorization.k8s.io/v1beta1
5944kind: ClusterRole
5945metadata:
5946 name: cert-manager-controller-certificates
5947 labels:
5948 app: cert-manager
5949 app.kubernetes.io/name: cert-manager
5950 app.kubernetes.io/instance: cert-manager
5951 app.kubernetes.io/managed-by: Helm
5952 app.kubernetes.io/component: "controller"
5953 helm.sh/chart: cert-manager-v0.14.1
5954rules:
5955 - apiGroups: ["cert-manager.io"]
5956 resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
5957 verbs: ["update"]
5958 - apiGroups: ["cert-manager.io"]
5959 resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
5960 verbs: ["get", "list", "watch"]
5961 # We require these rules to support users with the OwnerReferencesPermissionEnforcement
5962 # admission controller enabled:
5963 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
5964 - apiGroups: ["cert-manager.io"]
5965 resources: ["certificates/finalizers", "certificaterequests/finalizers"]
5966 verbs: ["update"]
5967 - apiGroups: ["acme.cert-manager.io"]
5968 resources: ["orders"]
5969 verbs: ["create", "delete", "get", "list", "watch"]
5970 - apiGroups: [""]
5971 resources: ["secrets"]
5972 verbs: ["get", "list", "watch", "create", "update", "delete"]
5973 - apiGroups: [""]
5974 resources: ["events"]
5975 verbs: ["create", "patch"]
5976---
5977# Source: cert-manager/templates/rbac.yaml
5978# Issuer controller role
5979apiVersion: rbac.authorization.k8s.io/v1beta1
5980kind: ClusterRole
5981metadata:
5982 name: cert-manager-controller-issuers
5983 labels:
5984 app: cert-manager
5985 app.kubernetes.io/name: cert-manager
5986 app.kubernetes.io/instance: cert-manager
5987 app.kubernetes.io/managed-by: Helm
5988 app.kubernetes.io/component: "controller"
5989 helm.sh/chart: cert-manager-v0.14.1
5990rules:
5991 - apiGroups: ["cert-manager.io"]
5992 resources: ["issuers", "issuers/status"]
5993 verbs: ["update"]
5994 - apiGroups: ["cert-manager.io"]
5995 resources: ["issuers"]
5996 verbs: ["get", "list", "watch"]
5997 - apiGroups: [""]
5998 resources: ["secrets"]
5999 verbs: ["get", "list", "watch", "create", "update", "delete"]
6000 - apiGroups: [""]
6001 resources: ["events"]
6002 verbs: ["create", "patch"]
6003---
6004# Source: cert-manager/templates/rbac.yaml
6005apiVersion: rbac.authorization.k8s.io/v1
6006kind: ClusterRole
6007metadata:
6008 name: cert-manager-view
6009 labels:
6010 app: cert-manager
6011 app.kubernetes.io/name: cert-manager
6012 app.kubernetes.io/instance: cert-manager
6013 app.kubernetes.io/managed-by: Helm
6014 app.kubernetes.io/component: "controller"
6015 helm.sh/chart: cert-manager-v0.14.1
6016 rbac.authorization.k8s.io/aggregate-to-view: "true"
6017 rbac.authorization.k8s.io/aggregate-to-edit: "true"
6018 rbac.authorization.k8s.io/aggregate-to-admin: "true"
6019rules:
6020 - apiGroups: ["cert-manager.io"]
6021 resources: ["certificates", "certificaterequests", "issuers"]
6022 verbs: ["get", "list", "watch"]
6023---
6024# Source: cert-manager/templates/rbac.yaml
6025# Orders controller role
6026apiVersion: rbac.authorization.k8s.io/v1beta1
6027kind: ClusterRole
6028metadata:
6029 name: cert-manager-controller-orders
6030 labels:
6031 app: cert-manager
6032 app.kubernetes.io/name: cert-manager
6033 app.kubernetes.io/instance: cert-manager
6034 app.kubernetes.io/managed-by: Helm
6035 app.kubernetes.io/component: "controller"
6036 helm.sh/chart: cert-manager-v0.14.1
6037rules:
6038 - apiGroups: ["acme.cert-manager.io"]
6039 resources: ["orders", "orders/status"]
6040 verbs: ["update"]
6041 - apiGroups: ["acme.cert-manager.io"]
6042 resources: ["orders", "challenges"]
6043 verbs: ["get", "list", "watch"]
6044 - apiGroups: ["cert-manager.io"]
6045 resources: ["clusterissuers", "issuers"]
6046 verbs: ["get", "list", "watch"]
6047 - apiGroups: ["acme.cert-manager.io"]
6048 resources: ["challenges"]
6049 verbs: ["create", "delete"]
6050 # We require these rules to support users with the OwnerReferencesPermissionEnforcement
6051 # admission controller enabled:
6052 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
6053 - apiGroups: ["acme.cert-manager.io"]
6054 resources: ["orders/finalizers"]
6055 verbs: ["update"]
6056 - apiGroups: [""]
6057 resources: ["secrets"]
6058 verbs: ["get", "list", "watch"]
6059 - apiGroups: [""]
6060 resources: ["events"]
6061 verbs: ["create", "patch"]
6062---
6063# Source: cert-manager/templates/rbac.yaml
6064# Challenges controller role
6065apiVersion: rbac.authorization.k8s.io/v1beta1
6066kind: ClusterRole
6067metadata:
6068 name: cert-manager-controller-challenges
6069 labels:
6070 app: cert-manager
6071 app.kubernetes.io/name: cert-manager
6072 app.kubernetes.io/instance: cert-manager
6073 app.kubernetes.io/managed-by: Helm
6074 app.kubernetes.io/component: "controller"
6075 helm.sh/chart: cert-manager-v0.14.1
6076rules:
6077 # Use to update challenge resource status
6078 - apiGroups: ["acme.cert-manager.io"]
6079 resources: ["challenges", "challenges/status"]
6080 verbs: ["update"]
6081 # Used to watch challenge resources
6082 - apiGroups: ["acme.cert-manager.io"]
6083 resources: ["challenges"]
6084 verbs: ["get", "list", "watch"]
6085 # Used to watch challenges, issuer and clusterissuer resources
6086 - apiGroups: ["cert-manager.io"]
6087 resources: ["issuers", "clusterissuers"]
6088 verbs: ["get", "list", "watch"]
6089 # Need to be able to retrieve ACME account private key to complete challenges
6090 - apiGroups: [""]
6091 resources: ["secrets"]
6092 verbs: ["get", "list", "watch"]
6093 # Used to create events
6094 - apiGroups: [""]
6095 resources: ["events"]
6096 verbs: ["create", "patch"]
6097 # HTTP01 rules
6098 - apiGroups: [""]
6099 resources: ["pods", "services"]
6100 verbs: ["get", "list", "watch", "create", "delete"]
6101 - apiGroups: ["extensions"]
6102 resources: ["ingresses"]
6103 verbs: ["get", "list", "watch", "create", "delete", "update"]
6104 # We require the ability to specify a custom hostname when we are creating
6105 # new ingress resources.
6106 # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
6107 - apiGroups: ["route.openshift.io"]
6108 resources: ["routes/custom-host"]
6109 verbs: ["create"]
6110 # We require these rules to support users with the OwnerReferencesPermissionEnforcement
6111 # admission controller enabled:
6112 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
6113 - apiGroups: ["acme.cert-manager.io"]
6114 resources: ["challenges/finalizers"]
6115 verbs: ["update"]
6116 # DNS01 rules (duplicated above)
6117 - apiGroups: [""]
6118 resources: ["secrets"]
6119 verbs: ["get", "list", "watch"]
6120---
6121# Source: cert-manager/templates/rbac.yaml
6122# ingress-shim controller role
6123apiVersion: rbac.authorization.k8s.io/v1beta1
6124kind: ClusterRole
6125metadata:
6126 name: cert-manager-controller-ingress-shim
6127 labels:
6128 app: cert-manager
6129 app.kubernetes.io/name: cert-manager
6130 app.kubernetes.io/instance: cert-manager
6131 app.kubernetes.io/managed-by: Helm
6132 app.kubernetes.io/component: "controller"
6133 helm.sh/chart: cert-manager-v0.14.1
6134rules:
6135 - apiGroups: ["cert-manager.io"]
6136 resources: ["certificates", "certificaterequests"]
6137 verbs: ["create", "update", "delete"]
6138 - apiGroups: ["cert-manager.io"]
6139 resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
6140 verbs: ["get", "list", "watch"]
6141 - apiGroups: ["extensions"]
6142 resources: ["ingresses"]
6143 verbs: ["get", "list", "watch"]
6144 # We require these rules to support users with the OwnerReferencesPermissionEnforcement
6145 # admission controller enabled:
6146 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
6147 - apiGroups: ["extensions"]
6148 resources: ["ingresses/finalizers"]
6149 verbs: ["update"]
6150 - apiGroups: [""]
6151 resources: ["events"]
6152 verbs: ["create", "patch"]
6153---
6154# Source: cert-manager/templates/rbac.yaml
6155# ClusterIssuer controller role
6156apiVersion: rbac.authorization.k8s.io/v1beta1
6157kind: ClusterRole
6158metadata:
6159 name: cert-manager-controller-clusterissuers
6160 labels:
6161 app: cert-manager
6162 app.kubernetes.io/name: cert-manager
6163 app.kubernetes.io/instance: cert-manager
6164 app.kubernetes.io/managed-by: Helm
6165 app.kubernetes.io/component: "controller"
6166 helm.sh/chart: cert-manager-v0.14.1
6167rules:
6168 - apiGroups: ["cert-manager.io"]
6169 resources: ["clusterissuers", "clusterissuers/status"]
6170 verbs: ["update"]
6171 - apiGroups: ["cert-manager.io"]
6172 resources: ["clusterissuers"]
6173 verbs: ["get", "list", "watch"]
6174 - apiGroups: [""]
6175 resources: ["secrets"]
6176 verbs: ["get", "list", "watch", "create", "update", "delete"]
6177 - apiGroups: [""]
6178 resources: ["events"]
6179 verbs: ["create", "patch"]
6180---
6181# Source: cert-manager/templates/rbac.yaml
6182apiVersion: rbac.authorization.k8s.io/v1
6183kind: ClusterRole
6184metadata:
6185 name: cert-manager-edit
6186 labels:
6187 app: cert-manager
6188 app.kubernetes.io/name: cert-manager
6189 app.kubernetes.io/instance: cert-manager
6190 app.kubernetes.io/managed-by: Helm
6191 app.kubernetes.io/component: "controller"
6192 helm.sh/chart: cert-manager-v0.14.1
6193 rbac.authorization.k8s.io/aggregate-to-edit: "true"
6194 rbac.authorization.k8s.io/aggregate-to-admin: "true"
6195rules:
6196 - apiGroups: ["cert-manager.io"]
6197 resources: ["certificates", "certificaterequests", "issuers"]
6198 verbs: ["create", "delete", "deletecollection", "patch", "update"]
6199---
6200# Source: cert-manager/templates/cainjector-rbac.yaml
6201apiVersion: rbac.authorization.k8s.io/v1beta1
6202kind: ClusterRoleBinding
6203metadata:
6204 name: cert-manager-cainjector
6205 labels:
6206 app: cainjector
6207 app.kubernetes.io/name: cainjector
6208 app.kubernetes.io/instance: cert-manager
6209 app.kubernetes.io/managed-by: Helm
6210 app.kubernetes.io/component: "cainjector"
6211 helm.sh/chart: cert-manager-v0.14.1
6212roleRef:
6213 apiGroup: rbac.authorization.k8s.io
6214 kind: ClusterRole
6215 name: cert-manager-cainjector
6216subjects:
6217 - name: cert-manager-cainjector
6218 namespace: "kube-apps"
6219 kind: ServiceAccount
6220---
6221# Source: cert-manager/templates/rbac.yaml
6222apiVersion: rbac.authorization.k8s.io/v1beta1
6223kind: ClusterRoleBinding
6224metadata:
6225 name: cert-manager-controller-challenges
6226 labels:
6227 app: cert-manager
6228 app.kubernetes.io/name: cert-manager
6229 app.kubernetes.io/instance: cert-manager
6230 app.kubernetes.io/managed-by: Helm
6231 app.kubernetes.io/component: "controller"
6232 helm.sh/chart: cert-manager-v0.14.1
6233roleRef:
6234 apiGroup: rbac.authorization.k8s.io
6235 kind: ClusterRole
6236 name: cert-manager-controller-challenges
6237subjects:
6238 - name: cert-manager
6239 namespace: "kube-apps"
6240 kind: ServiceAccount
6241---
6242# Source: cert-manager/templates/rbac.yaml
6243apiVersion: rbac.authorization.k8s.io/v1beta1
6244kind: ClusterRoleBinding
6245metadata:
6246 name: cert-manager-controller-issuers
6247 labels:
6248 app: cert-manager
6249 app.kubernetes.io/name: cert-manager
6250 app.kubernetes.io/instance: cert-manager
6251 app.kubernetes.io/managed-by: Helm
6252 app.kubernetes.io/component: "controller"
6253 helm.sh/chart: cert-manager-v0.14.1
6254roleRef:
6255 apiGroup: rbac.authorization.k8s.io
6256 kind: ClusterRole
6257 name: cert-manager-controller-issuers
6258subjects:
6259 - name: cert-manager
6260 namespace: "kube-apps"
6261 kind: ServiceAccount
6262---
6263# Source: cert-manager/templates/rbac.yaml
6264apiVersion: rbac.authorization.k8s.io/v1beta1
6265kind: ClusterRoleBinding
6266metadata:
6267 name: cert-manager-controller-certificates
6268 labels:
6269 app: cert-manager
6270 app.kubernetes.io/name: cert-manager
6271 app.kubernetes.io/instance: cert-manager
6272 app.kubernetes.io/managed-by: Helm
6273 app.kubernetes.io/component: "controller"
6274 helm.sh/chart: cert-manager-v0.14.1
6275roleRef:
6276 apiGroup: rbac.authorization.k8s.io
6277 kind: ClusterRole
6278 name: cert-manager-controller-certificates
6279subjects:
6280 - name: cert-manager
6281 namespace: "kube-apps"
6282 kind: ServiceAccount
6283---
6284# Source: cert-manager/templates/rbac.yaml
6285apiVersion: rbac.authorization.k8s.io/v1beta1
6286kind: ClusterRoleBinding
6287metadata:
6288 name: cert-manager-controller-orders
6289 labels:
6290 app: cert-manager
6291 app.kubernetes.io/name: cert-manager
6292 app.kubernetes.io/instance: cert-manager
6293 app.kubernetes.io/managed-by: Helm
6294 app.kubernetes.io/component: "controller"
6295 helm.sh/chart: cert-manager-v0.14.1
6296roleRef:
6297 apiGroup: rbac.authorization.k8s.io
6298 kind: ClusterRole
6299 name: cert-manager-controller-orders
6300subjects:
6301 - name: cert-manager
6302 namespace: "kube-apps"
6303 kind: ServiceAccount
6304---
6305# Source: cert-manager/templates/rbac.yaml
6306apiVersion: rbac.authorization.k8s.io/v1beta1
6307kind: ClusterRoleBinding
6308metadata:
6309 name: cert-manager-controller-clusterissuers
6310 labels:
6311 app: cert-manager
6312 app.kubernetes.io/name: cert-manager
6313 app.kubernetes.io/instance: cert-manager
6314 app.kubernetes.io/managed-by: Helm
6315 app.kubernetes.io/component: "controller"
6316 helm.sh/chart: cert-manager-v0.14.1
6317roleRef:
6318 apiGroup: rbac.authorization.k8s.io
6319 kind: ClusterRole
6320 name: cert-manager-controller-clusterissuers
6321subjects:
6322 - name: cert-manager
6323 namespace: "kube-apps"
6324 kind: ServiceAccount
6325---
6326# Source: cert-manager/templates/rbac.yaml
6327apiVersion: rbac.authorization.k8s.io/v1beta1
6328kind: ClusterRoleBinding
6329metadata:
6330 name: cert-manager-controller-ingress-shim
6331 labels:
6332 app: cert-manager
6333 app.kubernetes.io/name: cert-manager
6334 app.kubernetes.io/instance: cert-manager
6335 app.kubernetes.io/managed-by: Helm
6336 app.kubernetes.io/component: "controller"
6337 helm.sh/chart: cert-manager-v0.14.1
6338roleRef:
6339 apiGroup: rbac.authorization.k8s.io
6340 kind: ClusterRole
6341 name: cert-manager-controller-ingress-shim
6342subjects:
6343 - name: cert-manager
6344 namespace: "kube-apps"
6345 kind: ServiceAccount
6346---
6347# Source: cert-manager/templates/cainjector-rbac.yaml
6348# leader election rules
6349apiVersion: rbac.authorization.k8s.io/v1beta1
6350kind: Role
6351metadata:
6352 name: cert-manager-cainjector:leaderelection
6353 namespace: kube-system
6354 labels:
6355 app: cainjector
6356 app.kubernetes.io/name: cainjector
6357 app.kubernetes.io/instance: cert-manager
6358 app.kubernetes.io/managed-by: Helm
6359 app.kubernetes.io/component: "cainjector"
6360 helm.sh/chart: cert-manager-v0.14.1
6361rules:
6362 # Used for leader election by the controller
6363 # TODO: refine the permission to *just* the leader election configmap
6364 - apiGroups: [""]
6365 resources: ["configmaps"]
6366 verbs: ["get", "create", "update", "patch"]
6367---
6368# Source: cert-manager/templates/rbac.yaml
6369apiVersion: rbac.authorization.k8s.io/v1beta1
6370kind: Role
6371metadata:
6372 name: cert-manager:leaderelection
6373 namespace: kube-system
6374 labels:
6375 app: cert-manager
6376 app.kubernetes.io/name: cert-manager
6377 app.kubernetes.io/instance: cert-manager
6378 app.kubernetes.io/managed-by: Helm
6379 app.kubernetes.io/component: "controller"
6380 helm.sh/chart: cert-manager-v0.14.1
6381rules:
6382 # Used for leader election by the controller
6383 # TODO: refine the permission to *just* the leader election configmap
6384 - apiGroups: [""]
6385 resources: ["configmaps"]
6386 verbs: ["get", "create", "update", "patch"]
6387---
6388# Source: cert-manager/templates/cainjector-rbac.yaml
6389# grant cert-manager permission to manage the leaderelection configmap in the
6390# leader election namespace
6391apiVersion: rbac.authorization.k8s.io/v1beta1
6392kind: RoleBinding
6393metadata:
6394 name: cert-manager-cainjector:leaderelection
6395 namespace: kube-system
6396 labels:
6397 app: cainjector
6398 app.kubernetes.io/name: cainjector
6399 app.kubernetes.io/instance: cert-manager
6400 app.kubernetes.io/managed-by: Helm
6401 app.kubernetes.io/component: "cainjector"
6402 helm.sh/chart: cert-manager-v0.14.1
6403roleRef:
6404 apiGroup: rbac.authorization.k8s.io
6405 kind: Role
6406 name: cert-manager-cainjector:leaderelection
6407subjects:
6408 - kind: ServiceAccount
6409 name: cert-manager-cainjector
6410 namespace: kube-apps
6411---
6412# Source: cert-manager/templates/rbac.yaml
6413# grant cert-manager permission to manage the leaderelection configmap in the
6414# leader election namespace
6415apiVersion: rbac.authorization.k8s.io/v1beta1
6416kind: RoleBinding
6417metadata:
6418 name: cert-manager:leaderelection
6419 namespace: kube-system
6420 labels:
6421 app: cert-manager
6422 app.kubernetes.io/name: cert-manager
6423 app.kubernetes.io/instance: cert-manager
6424 app.kubernetes.io/managed-by: Helm
6425 app.kubernetes.io/component: "controller"
6426 helm.sh/chart: cert-manager-v0.14.1
6427roleRef:
6428 apiGroup: rbac.authorization.k8s.io
6429 kind: Role
6430 name: cert-manager:leaderelection
6431subjects:
6432 - apiGroup: ""
6433 kind: ServiceAccount
6434 name: cert-manager
6435 namespace: kube-apps
6436---
6437# Source: cert-manager/templates/service.yaml
6438apiVersion: v1
6439kind: Service
6440metadata:
6441 namespace: kube-apps
6442 name: cert-manager
6443 labels:
6444 app: cert-manager
6445 app.kubernetes.io/name: cert-manager
6446 app.kubernetes.io/instance: cert-manager
6447 app.kubernetes.io/managed-by: Helm
6448 app.kubernetes.io/component: "controller"
6449 helm.sh/chart: cert-manager-v0.14.1
6450spec:
6451 type: ClusterIP
6452 ports:
6453 - protocol: TCP
6454 port: 9402
6455 targetPort: 9402
6456 selector:
6457 app.kubernetes.io/name: cert-manager
6458 app.kubernetes.io/instance: cert-manager
6459 app.kubernetes.io/component: "controller"
6460---
6461# Source: cert-manager/templates/webhook-service.yaml
6462apiVersion: v1
6463kind: Service
6464metadata:
6465 namespace: kube-apps
6466 name: cert-manager-webhook
6467 labels:
6468 app: webhook
6469 app.kubernetes.io/name: webhook
6470 app.kubernetes.io/instance: cert-manager
6471 app.kubernetes.io/managed-by: Helm
6472 app.kubernetes.io/component: "webhook"
6473 helm.sh/chart: cert-manager-v0.14.1
6474spec:
6475 type: ClusterIP
6476 ports:
6477 - name: https
6478 port: 443
6479 targetPort: 10250
6480 selector:
6481 app.kubernetes.io/name: webhook
6482 app.kubernetes.io/instance: cert-manager
6483 app.kubernetes.io/component: "webhook"
6484---
6485# Source: cert-manager/templates/cainjector-deployment.yaml
6486apiVersion: apps/v1
6487kind: Deployment
6488metadata:
6489 namespace: kube-apps
6490 name: cert-manager-cainjector
6491 labels:
6492 app: cainjector
6493 app.kubernetes.io/name: cainjector
6494 app.kubernetes.io/instance: cert-manager
6495 app.kubernetes.io/managed-by: Helm
6496 app.kubernetes.io/component: "cainjector"
6497 helm.sh/chart: cert-manager-v0.14.1
6498spec:
6499 replicas: 1
6500 selector:
6501 matchLabels:
6502 app.kubernetes.io/name: cainjector
6503 app.kubernetes.io/instance: cert-manager
6504 app.kubernetes.io/component: "cainjector"
6505 template:
6506 metadata:
6507 labels:
6508 app: cainjector
6509 app.kubernetes.io/name: cainjector
6510 app.kubernetes.io/instance: cert-manager
6511 app.kubernetes.io/managed-by: Helm
6512 app.kubernetes.io/component: "cainjector"
6513 helm.sh/chart: cert-manager-v0.14.1
6514 annotations:
6515 spec:
6516 serviceAccountName: cert-manager-cainjector
6517 containers:
6518 - name: cert-manager
6519 image: "quay.io/jetstack/cert-manager-cainjector:v0.14.1"
6520 imagePullPolicy: IfNotPresent
6521 args:
6522 - --v=2
6523 - --leader-election-namespace=kube-system
6524 env:
6525 - name: POD_NAMESPACE
6526 valueFrom:
6527 fieldRef:
6528 fieldPath: metadata.namespace
6529 resources:
6530 {}
6531---
6532# Source: cert-manager/templates/deployment.yaml
6533apiVersion: apps/v1
6534kind: Deployment
6535metadata:
6536 namespace: kube-apps
6537 name: cert-manager
6538 labels:
6539 app: cert-manager
6540 app.kubernetes.io/name: cert-manager
6541 app.kubernetes.io/instance: cert-manager
6542 app.kubernetes.io/managed-by: Helm
6543 app.kubernetes.io/component: "controller"
6544 helm.sh/chart: cert-manager-v0.14.1
6545spec:
6546 replicas: 1
6547 selector:
6548 matchLabels:
6549 app.kubernetes.io/name: cert-manager
6550 app.kubernetes.io/instance: cert-manager
6551 app.kubernetes.io/component: "controller"
6552 template:
6553 metadata:
6554 labels:
6555 app: cert-manager
6556 app.kubernetes.io/name: cert-manager
6557 app.kubernetes.io/instance: cert-manager
6558 app.kubernetes.io/component: "controller"
6559 app.kubernetes.io/managed-by: Helm
6560 helm.sh/chart: cert-manager-v0.14.1
6561 annotations:
6562 prometheus.io/path: "/metrics"
6563 prometheus.io/scrape: 'true'
6564 prometheus.io/port: '9402'
6565 spec:
6566 serviceAccountName: cert-manager
6567 containers:
6568 - name: cert-manager
6569 image: "quay.io/jetstack/cert-manager-controller:v0.14.1"
6570 imagePullPolicy: IfNotPresent
6571 args:
6572 - --v=2
6573 - --cluster-resource-namespace=$(POD_NAMESPACE)
6574 - --leader-election-namespace=kube-system
6575 - --webhook-namespace=$(POD_NAMESPACE)
6576 - --webhook-ca-secret=cert-manager-webhook-ca
6577 - --webhook-serving-secret=cert-manager-webhook-tls
6578 - --webhook-dns-names=cert-manager-webhook,cert-manager-webhook.kube-apps,cert-manager-webhook.kube-apps.svc
6579 ports:
6580 - containerPort: 9402
6581 protocol: TCP
6582 env:
6583 - name: POD_NAMESPACE
6584 valueFrom:
6585 fieldRef:
6586 fieldPath: metadata.namespace
6587 resources:
6588 {}
6589---
6590# Source: cert-manager/templates/webhook-deployment.yaml
6591apiVersion: apps/v1
6592kind: Deployment
6593metadata:
6594 namespace: kube-apps
6595 name: cert-manager-webhook
6596 labels:
6597 app: webhook
6598 app.kubernetes.io/name: webhook
6599 app.kubernetes.io/instance: cert-manager
6600 app.kubernetes.io/managed-by: Helm
6601 app.kubernetes.io/component: "webhook"
6602 helm.sh/chart: cert-manager-v0.14.1
6603spec:
6604 replicas: 1
6605 selector:
6606 matchLabels:
6607 app.kubernetes.io/name: webhook
6608 app.kubernetes.io/instance: cert-manager
6609 app.kubernetes.io/component: "webhook"
6610 template:
6611 metadata:
6612 labels:
6613 app: webhook
6614 app.kubernetes.io/name: webhook
6615 app.kubernetes.io/instance: cert-manager
6616 app.kubernetes.io/managed-by: Helm
6617 app.kubernetes.io/component: "webhook"
6618 helm.sh/chart: cert-manager-v0.14.1
6619 annotations:
6620 spec:
6621 serviceAccountName: cert-manager-webhook
6622 containers:
6623 - name: cert-manager
6624 image: "quay.io/jetstack/cert-manager-webhook:v0.14.1"
6625 imagePullPolicy: IfNotPresent
6626 args:
6627 - --v=2
6628 - --secure-port=10250
6629 - --tls-cert-file=/certs/tls.crt
6630 - --tls-private-key-file=/certs/tls.key
6631 livenessProbe:
6632 httpGet:
6633 path: /livez
6634 port: 6080
6635 scheme: HTTP
6636 readinessProbe:
6637 httpGet:
6638 path: /healthz
6639 port: 6080
6640 scheme: HTTP
6641 env:
6642 - name: POD_NAMESPACE
6643 valueFrom:
6644 fieldRef:
6645 fieldPath: metadata.namespace
6646 resources:
6647 {}
6648 volumeMounts:
6649 - name: certs
6650 mountPath: /certs
6651 volumes:
6652 - name: certs
6653 secret:
6654 secretName: cert-manager-webhook-tls
6655---
6656# Source: cert-manager/templates/webhook-mutating-webhook.yaml
6657apiVersion: admissionregistration.k8s.io/v1beta1
6658kind: MutatingWebhookConfiguration
6659metadata:
6660 name: cert-manager-webhook
6661 labels:
6662 app: webhook
6663 app.kubernetes.io/name: webhook
6664 app.kubernetes.io/instance: cert-manager
6665 app.kubernetes.io/managed-by: Helm
6666 app.kubernetes.io/component: "webhook"
6667 helm.sh/chart: cert-manager-v0.14.1
6668 annotations:
6669 cert-manager.io/inject-ca-from-secret: "kube-apps/cert-manager-webhook-tls"
6670webhooks:
6671 - name: webhook.cert-manager.io
6672 rules:
6673 - apiGroups:
6674 - "cert-manager.io"
6675 - "acme.cert-manager.io"
6676 apiVersions:
6677 - v1alpha2
6678 operations:
6679 - CREATE
6680 - UPDATE
6681 resources:
6682 - "*/*"
6683 failurePolicy: Fail
6684 # Only include 'sideEffects' field in Kubernetes 1.12+
6685 sideEffects: None
6686 clientConfig:
6687 service:
6688 name: cert-manager-webhook
6689 namespace: kube-apps
6690 path: /mutate
6691---
6692# Source: cert-manager/templates/webhook-validating-webhook.yaml
6693apiVersion: admissionregistration.k8s.io/v1beta1
6694kind: ValidatingWebhookConfiguration
6695metadata:
6696 name: cert-manager-webhook
6697 labels:
6698 app: webhook
6699 app.kubernetes.io/name: webhook
6700 app.kubernetes.io/instance: cert-manager
6701 app.kubernetes.io/managed-by: Helm
6702 app.kubernetes.io/component: "webhook"
6703 helm.sh/chart: cert-manager-v0.14.1
6704 annotations:
6705 cert-manager.io/inject-ca-from-secret: "kube-apps/cert-manager-webhook-tls"
6706webhooks:
6707 - name: webhook.cert-manager.io
6708 namespaceSelector:
6709 matchExpressions:
6710 - key: "cert-manager.io/disable-validation"
6711 operator: "NotIn"
6712 values:
6713 - "true"
6714 - key: "name"
6715 operator: "NotIn"
6716 values:
6717 - cert-manager
6718 rules:
6719 - apiGroups:
6720 - "cert-manager.io"
6721 - "acme.cert-manager.io"
6722 apiVersions:
6723 - v1alpha2
6724 operations:
6725 - CREATE
6726 - UPDATE
6727 resources:
6728 - "*/*"
6729 failurePolicy: Fail
6730 # Only include 'sideEffects' field in Kubernetes 1.12+
6731 sideEffects: None
6732 clientConfig:
6733 service:
6734 name: cert-manager-webhook
6735 namespace: "kube-apps"
6736 path: /mutate